- 22 Sep 2022
- Chris Kjelgaard
- Jet Connectivity
While cyber-security threats are very real and quite widespread for everyone in the Business Aviation community, various measures exist to help aircraft owners, pilots and passengers protect themselves. Chris Kjelgaard gets tips from the experts…Back to Articles
If you’re looking to protect your crew and passengers from cybersecurity threats in-flight, there are some best practices to follow. The industry’s leading experts provide tips on what to do to protect yourself from the risk of security breaches.
If you’re looking to protect yourself and your passengers against hackers seeking to obtain access to, and control devices and sensitive personal financial and identity data, the following top tips from the industry’s experts should help…
Use a VPN: One major measure is for Business Aviation users to protect themselves by always having their devices use a Virtual Private Network (VPN) to connect with the potentially security-compromised Wi-Fi networks at their FBO, maintenance facility and their aircraft, according to Mike Syverson, Senior Vice President of Development and Operations for Gogo Business Aviation.
“The threats are there whether you’re in the air or on the ground,” he says. “That’s why we recommend using VPN connectivity at all times — it provides the best protection for your data.
“Gogo’s network data centers and the radio link are secure, but there are other vectors for a bad agent to attempt to gain access,” he adds. “Just as you would take steps to ensure you’re being careful with your information when you are on the ground, you should have the same mindset when using in-flight connectivity.”
Gogo reckons “for individual owners, the aircraft is one of the safest places to operate in while in flight,” says Syverson. But charter flights can represent a sizable cyber-security risk. “If you’re on a charter service with other passengers you don’t know, VPN is a great way to protect your data in the cabin. Being diligent and careful with data is always important regardless of where or how you’re accessing it.
While Josh Wheeler, Senior Director, Entry into Service and Client Services for Satcom Direct agrees that “VPNs are great” for reducing cybersecurity risks, he highlights they can also present a problem for use in-flight — particularly in aircraft whose Wi-Fi networks don’t offer high bandwidth.
“The amount of data required [by any VPN] from an encryption perspective can be a challenge on an aircraft,” he says. “The challenge is that it creates a limited data pipe”—which is compounded by high latency between signal transmission and reception when using satellite communications networks, and low bandwidths if the satcom network to which the aircraft is connected is one of the older, less capable ones.
Surf Carefully: Beyond VPN, it’s important for people to be careful with their email and the types of websites they are visiting, says Syverson. “With all cyber threats, one of the greatest vulnerabilities is individual use, and that threat is only going to increase.
People need to be careful with the emails they open, the links they click, or the documents they download. A little common sense and a little caution can go a long way, but your corporate chief information services officer can provide policy, training, and best practices as well.”
Firewall & Antivirus Solution: Business Aircraft owners, pilots and passengers can also take other common sense steps to protect their devices from being hacked while onboard the aircraft, Wheeler says.
“Having good firewall and antivirus protection on your device makes perfect sense,” even if you plan just to limit your connected activities onboard to receiving and sending text messages from your smartphone. “Viruses can happen even in Apple and Android devices, and if you volunteer information to a text message, you’re compromising security,” he points out.
Talk to your Service Provider: Additionally, if you are an aircraft owner you should “talk to your service provider and ask, what happens to my data when it leaves the aircraft?” High-quality airborne connectivity providers such as Satcom Direct and Gogo Business Aviation provide cybersecurity arrangements and assistance levels that go far beyond just offering printed training and awareness materials.
For Gogo Business Aviation, “inflight cybersecurity threats are real and that’s why security isn’t something we have added after the fact,” notes Syverson. “Since our beginning, we’ve built security into the design and delivery of our networks and systems.
“Security is in our DNA. At Gogo, security is built in, not bolted on, and it’s not something we’re trying to profit from. It’s something we build into everything we do from our networks to our onboard systems — both hardware and software — and our secure data centers.
“Gogo Business Aviation provides a complete, secure, end-to-end connectivity solution for Business Aviation that includes proactive, real-time monitoring of the connection from its network operations centers,” adds Syverson. “We don’t charge for it—it’s part of what customers get when they buy Gogo’s connectivity solutions.
Satcom Direct, meanwhile, provides three escalating levels of cybersecurity protection, according to Wheeler. The protection starts with threat monitoring, and Satcom Direct routes all of the digital data coming from and going to every customer’s aircraft through its secure data centers.
The next security level the company offers each customer is a specific, fully-encrypted service set identifier (SSID) Wi-Fi LAN network that’s unique to that customer.
The third and highest security level Satcom Direct offers customers is to route all of the digital data uploaded to, and downloaded from, the aircraft’s Wi-Fi network “back to your corporate headquarters, so all of your corporate security policies and protections carry over into the aircraft,” according to Wheeler.
Satcom Direct takes customer cybersecurity so seriously that it offers a sizable variety of cybersecurity courses to all interested parties in the entire Business Aviation industry — not just its customers — and also, for companies’ flight departments, crew training in cybersecurity awareness and threat mitigation.
According to Wheeler, Satcom Direct’s Aero IT Program is the Business Aviation industry’s only certified training program for airborne computer networks. Cybersecurity in the air “is always a moving target,” he says. “It’s always going to change.”
A Potential New Kind of Threat?
In fact, Wheeler is concerned that the moving target which airborne cybersecurity represents could evolve soon in a new and ominous way.
So much engine and aircraft condition-monitoring data is now being transmitted off-aircraft by the current generation of flight decks reliant on IP-driven avionics that a risk exists that flight deck communications could be “exploited by someone knowledgeable enough”, he says.
Wheeler sees this risk as particularly targeting datalink communications via analog ACARS text messaging, or via digital FANS or FAA Data Comm Controller-Pilot Datalink Communications, between air traffic controllers and aircraft flight decks.
The mere thought of spurious ATC instructions being sent to business aircraft flight decks and acted upon by pilots and flight management systems is a chilling thought. “Datalink compromise is certainly a potential threat as these future nav systems are all being driven by IP data,” wheeler says.
“It’s not a stretch of the imagination to think that a bad actor could send bogus information or data to the flight management system. However, as the industry progresses towards FANS, regulatory authorities are mandating that datalink should be cybersecure.”
The entire world of aviation can only hope that the airworthiness regulators are fully successful in those mandating efforts — doing their utmost to ensure that malignant false datalink communications can never become an issue.
More information from:
Gogo Business Aviation: https://business.gogoair.com
Satcom Direct: www.satcomdirect.com
Read about the top cybersecurity threads to business jets