What are the realities and myths of in-flight cyber threats? How should operators and providers act to ensure safe cabin connectivity? AvBuyer spoke with Doug Young, VP, software architecture, Gogo Business Aviation to learn more...
Cabin connectivity has been developing in business aircraft cabins at an exhilarating rate over the past decade. Today, even operators of relatively small cabin aircraft can enjoy continual Wi-Fi access and text messaging on domestic flights, while operators of larger trans-continental jets can experience all the connectivity and entertainment they would expect at home or in the office, virtually anywhere they fly on the planet.
But as quickly as these capabilities and opportunities have developed, so has the need for the providers of in-flight connectivity to stay ahead of the cybersecurity challenges and threats that arise.
“At Gogo, we like to say security is built in and not bolted on,” Doug Young, vice president, software architecture, Gogo Business Aviation told AvBuyer in a recent interview.
“By that, we mean every aspect of our telecom network as well as the hardware and software of the onboard systems.”
Young has enjoyed a career in software consultancy stretching back to 2005. He joined Gogo Business Aviation in 2012, initially as a software consultant and since 2015 as vice president, software architecture.
Responsible for thinking strategically and operating tactically to drive and deliver on Gogo’s software technology vision, Young ensures that all systems are built and executed to provide the best customer facing experience.
Doug Young, VP, Software Architecture, Gogo Business Aviation
“We start thinking about cybersecurity before we write the first line of code, before we design the first piece of hardware,” he elaborates. “Cybersecurity is part of the conversation at product inception all the way through the product development lifecycle.
“Whether it's how we secure a cell site, how we try to prevent malicious software from being put into one of the LRUs that we build and install in an airplane, or whether it's how we do intrusion detection in our data centers to ensure that no bad actors can get into our environment – it's all encompassing,” Young says.
Within the cabin of a business jet the nature of work can often be of a sensitive or confidential nature as a corporation transports its most productive and senior personnel. Such forward-thinking approaches to the threats to privacy are no less than a private jet operator would expect without ever really thinking about the effort that goes into the process.
“Because we uniquely operate and manage our systems end-to-end, Gogo can monitor and analyze the security of our network and onboard systems,” Young adds.
“And, through our own standards – or in partnership with the FAA and other aviation stakeholders – we’re solving cybersecurity problems before they happen, so operators can connect confidently when they fly.”
And it’s with this grounding in the measures Gogo Business Aviation takes to protect the data of its customers that AvBuyer asked a few more cybersecurity questions of Mr. Young to understand more…
AvBuyer:Can you tell us a little about the history of cybersecurity in relation to Business Aviation? How have you seen it evolve and what priorities have driven this evolution?
Young: In the earliest days, when people were using analog mobile phones, anyone with a scanner could listen to the phone conversations. So, when we built our air-to-ground (ATG) network we took the security of the link into account and secured the network with Code Division Multiple Access (CDMA) technology.
CDMA is the technological backbone used by two of the largest wireless network providers in the US and others around the world. All data transmitted over the network is secured through licensed spectrum with proprietary link layer encapsulation for secure air-to-ground communications.
And when we designed and built our latest systems on the AVANCE platform we did so using hardware and software security features with cybersecurity in mind. Not only could people not eavesdrop on conversations, but the platform itself could be as secure as possible.
AvBuyer: Despite the high level of attention addressing cybersecurity concerns, are there any commonly held myths that you hear in relation to cabin connectivity on business aircraft?
Young:Some in our industry would have you believe that you’re at greater risk of an attack when you’re connected from your aircraft. That simply isn’t true. The level of risk is the same in the air as it is on the ground and the same practices you implement to protect your information and data on the ground should also be used in the air.
For example, if you use a VPN when you connect from a laptop when you’re on the ground, you should use a VPN when you connect from a laptop in your business jet. If an email looks suspicious and you wouldn’t open it in your office or at home, then don’t open it when you’re in your business jet.
Another myth is that aircraft connected from the air are at risk because a hacker might be able to take control of the cockpit or engines via the onboard connectivity system. That’s not true and it’s not possible.
By design, the onboard aircraft communications equipment is isolated from the cockpit network, so other airborne system components cannot be accessed from the Wi-Fi being used in the cabin.
As we were looking at the entire threat landscape, what we realized is that the biggest threat is not the hacker in a hoodie (that’s something that’s been perpetuated by the industry). The bigger concern is from the highly sophisticated criminal networks that are highly organized. They have extremely high financial goals and standards.
These networks model themselves after a high-functioning business, and their business is to compromise companies and steal their intellectual property for financial gain or to perpetrate financial fraud upon them. The threats are real and that’s why this needs to be taken seriously. You must be diligent.
AvBuyer: How might the challenges of cybersecurity differ depending on where an airplane is flying?
Young:Cyberpiracy and cybercrime is constantly changing. It's important for us (or any other connectivity provider you may be using) to be adaptable in cybersecurity or in any part of our (their) business. It's important because having developed broadband for airborne use we’ve had to continually adapt.
Speaking for Gogo, we can provide a secure connection for our customers because we own the entire experience. Every piece of the infrastructure that we provide to our customers we secure, monitor and ensure it is as tightly protected as it can be from bad behaviors. It’s one of the benefits only a truly vertically-integrated player can provide.
When someone travels outside the US, if they’re using their cabin connectivity system, they are using a satellite-based system which brings new challenges. It is important for a customer using satellite connectivity to speak with their provider about how they secure their networks and systems.
In certain countries, if you’re flying over or are on the ground, you need to be very diligent to protect your data from being compromised.
AvBuyer: While cabin connectivity providers go to great lengths to ensure cybersecurity is optimized in their equipment, what are the practical steps jet operators can take?
Young:Whether you're in the air or on the ground, the persistent cybersecurity threats are always there. As mentioned, those behind the threats are trying to compromise your company's intellectual property, and they're trying to perpetrate financial fraud upon your company. This is true whether you're on the ground, in the air, traveling in your car, at home or in a hotel.
It's important to understand that cybersecurity is a team sport. It takes everyone to battle these cyber criminals. Whether it's Gogo (as your service provider), your corporate IT department which has been fighting this battle within your home office for many years, or our regulatory partners at the FAA, all these people – and the collaboration amongst all the groups and organizations – is extremely important in understanding and preventing your data from being compromised while in flight.
Gogo suggests you consult with your IT department. It's vital to follow your corporate IT policies and always be vigilant.
This isn’t just about not clicking on suspect links in emails, but always being watchful for things that don’t look right. If something looks fishy, keep on the side of caution.
You can use a corporate VPN with airborne networks just like you can on the ground. Most in-flight connectivity providers support this idea. Consider the way you connect from your aircraft as similar to how you use your mobile device on the ground.
People who fly on corporate aircraft ultimately lead very busy lives. That's one reason why they have such high expectations for in-flight wireless. Ultimately, when they go to their flight department, and when they step on their aircraft and they use the Gogo network, we believe the time they are on their aircraft is the most secure time of their day.
More information from https://business.gogoair.com/