EPISODE 1859 [INTRODUCTION] [0:00:00] ANNOUNCER: Aviation cybersecurity is becoming an urgent priority, as modern aircraft increasingly rely on complex digital systems for navigation, communication, and engine performance. These systems were once isolated, but are now interconnected and vulnerable to cyber threats, ranging from GPS spoofing to ransomware attacks on airline infrastructure. As nation state actors and criminal groups grow more sophisticated, the aviation sector faces a rapidly expanding attack surface, with life-or-death consequences. Understanding and addressing these risks is essential, not only for passenger safety, but for the resilience of global transportation networks. Serge Christiaans is a former Dutch Air Force pilot with a background in electronic and hybrid warfare. He later flew commercially for Singapore Airlines and is now the lead instructor and program director at the Aviation Cyber Academy. He joins the podcast with Gregor Vand to discuss the convergence of aviation and cyber security, the aircraft as a digital attack surface, hybrid warfare, the urgent need for aviation cyber resilience, and much more. Gregor Vand is a CTO and founder, currently working at the intersection of communication, security, and AI, and is based in Singapore. His latest venture, Wyntk.ai, reimagines what email can be in the AI era. For more on Gregor, find him at van.hk, or on LinkedIn. [INTERVIEW] [0:01:42] GV: Hello. Welcome to Software Engineering Daily. My guest today is Serge Christiaans. Welcome, Serge. [0:01:49] SC: Hi, Gregor. Thank you very much for the invitation. [0:01:51] GV: Yeah, this is a very interesting one for us to do today, as we're going to get into based on the fact that you are a practicing pilot, but you're also a practicing CISO as well. We're going to get into how this has all come about. I think that's where we should start. We always start with guest's career journey, if you like to call it that. It almost feels like you have two careers, both you've managed and you're still doing both today. Tell us about how are you doing these two jobs effectively? [0:02:21] SC: Okay. Well, I started my career at the Military Academy in the Netherlands, in the Air Force and then flying in the Netherlands for the Dutch Air Force for about 16 years. I was also involved in electronic warfare, hybrid warfare, and plenty of operations and NATO operations abroad. Then I moved to commercial aviation, flying 737s in the Netherlands. But as an ex-military pilot, that was so insanely boring. I started my own IT company parallel to that. That company actually started growing into more cyber security, as cyber became an issue around 2010, 2011 when we saw the first cyber-attacks. I was still flying then, but also in my spare time, serving customers, mostly SMEs and managing their infrastructure. Then at some point, I moved to Singapore, flying for Singapore Airlines, or Scoot, actually, for the Airbus 320. COVID happens, I took that opportunity to do a masters in cybersecurity, and then during COVID I had several full-time CISO roles responsible for Asia-Pacific regions, top-listed multinationals, which was very different from flying, but I'd say, my military academy management skills were very useful. It was, again, very interesting. I learned a lot. Then at some point I looked in the mirror and I thought, "Nah, dude. You want to fly again. You miss it." I did. I started flying again, but now all the knowledge that I had on cybersecurity and my CISO experience, I found myself in the middle of aviation cybersecurity. When digging into that, it's actually a very small world. Not many people are in that intersection, and I really felt I needed to do something with the knowledge I have on both sides. I'm helping the aviation industry on plenty of different occasions. I speak a lot at conferences raising the flags on awareness that especially airplane, cyber and the threat servers that an airplane poses, because there are many people also high-level management of airlines that actually do not understand this risk and what we need to do, which is actually comparable to what I found when as a CISO working for large companies. It's the same problem all over. They don't understand the business risk of cyber, which is the largest risk that any company has, not even aviation or an airline. Cyber is your biggest risk. If you don't understand that, that your company can go down in a week, regardless of how great your clients feel about you, or how low your prices are, or how great your product is, you will go down if you have a ransomware attack that you haven't prepared. [0:04:58] GV: Yeah. I mean, I think probably quite obvious to many, but worth calling out is just the stakes are incredibly high in aviation, because you just don't have the same time to deal with the problem. We're going to get into what that even means, cyber in the air. Just before we go there, a couple of questions, I guess, as I have quite a few pilot friends actually, and there's obviously a lot of downtime between where you fly to and from. I guess, this is how you're able to do both at once. Is it difficult to mentally switch between flying and then being a CISO, or how does that look? [0:05:31] SC: Well, not for me. It's like switching languages. If you speak both languages well, you switch without knowing. You sometimes even think in the other language without knowing. Or compared to driving in Singapore, I drive on the left side. Here in Europe, I drive on the right side. I just get in a car and I just do it. Sometimes if I'm tired, I approach a roundabout, I need to think, "Okay. Left or right. What is it?" In general, I don't have that problem, because I speak both languages good. [0:05:58] GV: I think that's good way of describing it. Then if we just think about, just to lay the land here, cybersecurity in aviation. How would you describe? I mean, you've touched on it, I think, just in what you were saying a few minutes ago. How would you describe the maturity of cybersecurity compared to other critical infrastructure sectors? [0:06:22] SC: Well, actually, we have statistics on that. There is research on that. It seems that aviation is about in the middle, which aligns with my experience as well. In general, of course, the financial sector, the financial services, healthcare, energy sector, they are more mature in general. Manufacturing is way less mature in general. We're about in the middle. One of the main reasons is, of course, that in the aviation industry, we focus on physical security threats in general. we don't like change, because everything we change might change our safety posture as well. It's all about safety. What we do now is safe. Everything we change might compromise that safety, because in aviation, safety is written in blood, we say. It's based on experience. With an open culture, we want to learn of everything that happens so we can prevent it from happening again. Then, when everything is balanced, is coordinated, and it works like this, and we have a high safety level, you don't want to change it a lot, because you're introducing more risks. That's a part of our culture that doesn't help getting more cyber resilience. That's one of the things I'm fighting at the moment. [0:07:32] GV: Got it. Okay, that makes a lot of sense. Let's dive into what it even means cybersecurity in aviation. Some of our listeners will be familiar with the term attack surface, in terms of just conventional, what an attack surface in cyber security, i.e. what an attacker might see and be able to think about attacking. How does that look in terms of aircraft? What does an attack surface of an aircraft even look like? What are the things that people might just not realize even exist as part of that attack surface? [0:08:05] SC: Okay, let's start with describing a modern aircraft as a flying server room with hundreds of computers onboard. If you look at it like that, that is a huge attack surface on its own. There's a lot of digital stuff onboard, but also, cyber-physical elements that are hybrid, and it's the hybrid things and the hybrid attacks, by the way, as well, and hybrid warfare that's actually falling in between. Nobody understands that one, except the ex-military guys. It's not cyber and it's not warfare, and it's not in the newspapers. But that's a different topic. Talking about threat surfaces of my airplane, it's all the computers, all my navigation systems, my flight management systems, big and small computers, GPS receivers, ACAR, SETCOM, it can all be spoofed, it can all be exploited. Even my maintenance systems can be compromised, and one of my biggest worries where nobody talks about is actually my engines. My airplane, half of the price, half of the money goes to the engines. These things are insanely complex. If I open up a few of these hatches, they're going to be amazed what you see there. It's a miraculous piece of high tech. These things are constantly sending data to the manufacturer. This is also part of my threat service. If somebody could switch these things off in flight, then I'm not an airplane anymore. I can do without a computer. I have backups on this, backups on that, we have workarounds. That's all fine. As long as I'm still an airplane, I have fuel, and I have a landing gear to land on, then I'm fine. Without engines, I'm a glider. [0:09:45] GV: That's an interesting one. Let's just stick on engines for a second. You mentioned that the engines are sending telemetry to the manufacturers. In theory, is there a risk around that communication, the other way around where something goes wrong at the manufacturer, and some kind of communication is able to be sent to the engine that does something nefarious? I mean, is that a possibility? [0:10:10] SC: Theoretically, yes. It's the same as your phone. Somebody could switch it off. Somebody could DDOS it, or make it unusable, or find a switch. What nation-state threat actors are doing right now with our critical infrastructure, mainly China. They're creating switches that they can push, so they create chaos. [0:10:28] GV: Interesting. I mean, looking at general connectivity, could you actually explain, I believe, there's this acronym, ARINC systems. Perhaps, you could just explain, A, what does that stand for? I believe, it's a protocol. Could maybe just dive into that protocol a little bit, and how has that increased the threat landscape as well? [0:10:48] SC: ARINC is a protocol that was, I think, in 1927 in the last century, radio communication protocol that was designed for standardization purposes. In airplanes, we have an ARINC 429er. That was the first communication bus, actually. It's called the communication bus, that was built into the digital backbone of airplanes to communicate, to enable communication between different systems onboard. Now, the ARINC 429er was designed in the 70s, the last century. A long time ago, there were not really physical wars going on. The cyber didn't exist. The first computers, I think we had MS-DOS back then, just came out. The word cybersecurity didn't even exist. These things were designed for reliability, and not for a message injection or spoofing attacks. Now, next to that, the long operational life cycles we have in aviation means that we have a lot of fern of old systems flying around for many years to come. That doesn't mean there's no improvement. There are developments. We have the ARINC 629er, which is more secure, more safe. We have the 664, the AFDX, which is a full duplex, which can handle encryption, which all is a big improvement, but it's only for the newer airplanes. [0:12:04] GV: For example, when you say newer airplane, are we talking like A350? Or does it have to be, I guess, A350 is one of the newest aircrafts, but do A320s have that newer - if they rolled out the factory today, do the A320s get that new protocol, or a new bus? [0:12:19] SC: Yes, that's a funny thing. Every time I ask Airbus, they don't tell me. Every time I ask Boeing, they don't tell me. The same goes for Embraer. I visit a lot of aviation events, talk to the chief pilots and the test pilots of these airplanes. I think you can imagine that this is proprietary information and they're not going to give it out to the first idiot with a Boeing cap visiting their booth. It's very difficult to find out. We have to believe that they are doing their absolute best and that they have a very well-equipped cyber-team, then they're looking at it. At the end of the day, I cannot do a penetration test on my airplane. Because for that, it actually needs to be in the air. You can understand, it's physically no pun intended air gap. That's nice. But if you want to do a pen test, you have it in the hangar, you need to have the engines running as well, because then you know all the systems are online. Even then, the air ground switch will be on the ground side. Not all will be working. It's very difficult to do that. [0:13:13] GV: Yeah, okay. Interesting. Let's talk about actual cyber-attacks mid-flight. I mean, I believe, you do actually train pilots to understand what a cyber-attack might look like mid-air, and I guess, how to deal with that. Could you just walk us through what kind of things do you teach pilots in this sense? What are they looking out for? Then crucially, what are they supposed to then, like what are some at a high level, what steps are they supposed to step through to help mitigate that, whilst they're literally flying a plane at 35,000 feet? [0:13:46] SC: Yeah. Well, first of all, there's only about 20% of pilots globally that receive actual training in this. All the other ones receive memos. It's not being trained in simulators, for the simple reason that aviation authorities are not asking for it. We do what we need to do to be compliant. We don't have time for other stuff. When I'm in the simulator for four hours, there's a very intense program. There's no 10-minute space to have a look at GPS spoofing, or jamming. It's just not in the program. That's exactly the same reason, because the upper management doesn't understand this is needed. There is no awareness of the risk, the business risk of cyber. It needs to be top-down. The board needs to decide, "Yes, we need to train this." Then it goes to the training department. They will make a training program. Then we go in the simulator. Then we learn how to react on this. Until that happens, nothing happens. There's only 20% of pilots that are being actually trained. The other ones, all, and there's also scientific interview data on that one, the other ones are uncomfortable in a situation like that, because they don't actually know what's going on. [0:14:56] GV: Yeah. Can you walk us through just what a cyber-attack might present as in the cockpit, for example? [0:15:03] SC: Yeah. In aviation, we're being trained on emergencies and we practice these emergencies and we learn how to identify them. Quite often, the airplane helps you identifying them. Let's say, I have an oil pressure where my left engine is going below limits, and the airplane will pop up a message, a notification, if you will, that says, "Hey, have a look at your engine pressure, because it's not going great." Then I make a decision. We look at it and we take out a checklist, or we divert, or whatever we feel we need to do to keep the operation and the people in the airplane and my crew safe. Now cyber-attack on your airplane is actually something you never saw before, most likely. By now, everybody has seen a GPS jamming, or a GPS spoofing, but they're still plenty of pilots who do not understand yet the difference between it, because they have not been properly trained, or the results, or the long-term effects on your airplane of a spoofing attack. What we normally do, the basic rules for handling any emergency in any airplane anywhere in the world is aviate, navigate, communicate. The first thing you do, whatever is going on, fly the bloody airplane. Use your primary instruments, keep on flying. Don't focus, don't look inside at instruments, or try to get manuals out, or start a discussion with your first officer while the airplane is going down. That's not a good idea. Aviate first. Then navigate. Where are you going? Where are you heading? Where do you want to go? Make sure you have a heading where you're not going into a mountain, for instance, or you're not going over a busy airport. Get out of dangerous airspace. Then the last one, communicate this, not only to air traffic control, but to your crew, to your cabin, to your passengers, if you have time in the right order. Now for any cyber-attack, things will be happening that you don't understand. You will have contradicting information like, this system says, my position is here, and this system says my position is there. Where am I? I don't know. Or, hey, suddenly my engine data is blank. Maybe your engine is being hacked. I don't know. Or in hybrid warfare, maybe your ACARs is spitting out a message from operations that you're not expecting. You need to think. You need to start thinking. What we need to do is to isolate, disconnect the suspected system, and try to resolve the problem after isolation. Then the last one is to document. We need documentation about this, because every attack is probably new. Because one of the more important things of cyber resilience is sharing cyber threat intelligence. We need to document this, so we can immediately tell all the other pilots in the world that this is happening in this area, most likely by this threat actor. Sharing is caring. It's very important. Stronger together. [0:17:56] GV: Yeah. We're going to get on a bit to culture in a bit as well, this idea of just culture versus blame culture, but we'll get there. Yeah, I think that's very interesting just to think for a second just about that situation where, as you're calling out a pilot, can never know for sure if what's going on is an attack. And so, that's half the problem. Then the second problem is then that distraction and your overarching way of training this situation is, as you say, fly the plane. That's the first thing. Don't take your eye off what you should just be doing, which is flying the plane. Obviously, you're having to make a whole bunch of other mental assessments. I mean, you mentioned ACARS switch. I'm a hobbyist sim flyer, so that's the messaging system, I guess, where literally, an airline can, or I mean, I think pilots can also send messages, like toilet broken. So, when they land, people know to come and fix it and that kind of thing. [0:18:49] SC: Yeah. The ACARS is our onboard facts. Very old system. It's not encrypted. Anybody can read it. I can build a little list soft radio here, and you can even receive it and read it. There's no classified information going over that thing, but operational information for sure. You can also send up, and imagine the chaos you can do that with false messaging that are not verified. In the military, we verify all messages. In civil aviation, not like that yet. Working on it. [0:19:16] GV: We're going to move on to, I mean, you've been using this phrase a lot, hybrid warfare. I think I'd just like to understand that one a bit more. When we talk about critical infrastructure, hybrid warfare, let's start with you've touched on, obviously, nation states already, Russia, China, Iran, for example. I mean, we're not maybe here to dig into exact nations so much, but just the understanding, what is this landscape? What is hybrid warfare at all? I guess, how does, especially commercial, I mean, I guess, are we talking commercial aviation comes into this, or military aviation drones? Just, what is all this? [0:19:51] SC: Okay. Classic warfare, we call kinetic warfare. Kinetic warfare is when things are kinetically flying around, like missiles, bullets, rockets, and it's about destruction. Hybrid warfare, there's actually nothing flying around. It's not peace, but it's also not kinetic warfare. It's everything in between. Cyber warfare is a part of hybrid warfare. But there are many other gray shades in hybrid warfare, like disrupting transport train systems in a country. Quite often, the goal of hybrid warfare is disruption. It's showing power below the threshold of war, which means that in NATO, it's going to be very difficult to call out Article 5 if it's hybrid warfare. We need to agree on that, all of the member states. Which is a problem, because for some, this might not be an act of war. For others, it's a very clear act of war. Blowing up a bridge might be an act of war, but a cyber-attack on the bridge control system might not be. But both have the same effect. The bridge is unusable for logistics and for ammunition and to go to the front line. That is hybrid warfare, creating chaos. A cyber-attack on my airplane is probably not aimed at killing us, but creating chaos. About showing, "Hey, look. See what we can do. Better be careful. It's threatening." It's what Putin is doing all the time, of course. He's threatening with nuclear weapons, but he's also attacking the whole digital infrastructure, critical infrastructure of every country in Europe next to all the disinformation campaigns that he's throwing out. That is also warfare. It's hybrid warfare, but it's still warfare. [0:21:37] GV: Understand. I mean, especially given a lot of airlines today are still effectively extensions of countries. Most countries have a national airline. I mean, in the UK, British Airways is not owned by the government, but I think most people still associate British Airways as being the national airline, for example. Then obviously, we have the big nation players, like Emirates, Qatar, etc. Does that play into it where, as you say, causing chaos, showing a signal through cyber warfare on commercial aircraft is by extension targeting a government, for example? [0:22:10] SC: I would say so. Yeah. It's a show of force, definitely. Don't forget in China, all Chinese companies are owned by the Chinese government. Or not owned, but at least controlled. If you look now at Flight 24, you see Chinese airplanes just flying over Russia, no problem at all. We need to avoid conflict zones, conflict areas, because there are trigger happy people down there with high-tech equipment built to shoot you down, and that has happened before, and it will happen again. [0:22:40] GV: I mean, if we look at the cyber side, does proximity come into this as well, as you call it, flying over, flying in certain airspace? I think it's clear why flying in an airspace would make you more at risk of a literal missile, for example. But does it then also increase the attack surface in terms of where you're flying? [0:23:03] SC: Actually, it doesn't, because these missiles are able to fly hundreds of miles. I don't even have to fly near the border. They can even hit me here over at Amsterdam if they want. But that must be an intentional order given by some high up commander. Quite often, it's just trigger happy, untrained soldiers on the ground that see a target and think, "Oh, crap. This is not ours," and they fire. If your military is badly trained and with a corrupt command and control structure, which we have in Russia, everybody's trigger happy. There's no discipline. [0:23:38] GV: Moving away from pure aircraft for a second, actually looking at airports as well - Now, I mean, I think maybe the one that our audience might be aware of recently, which was not a cyber-attack, but it clearly showed that what could happen was obviously a crowd strike and how crowd strike managed to inadvertently take out airports, control systems, well, not control systems, but a lot of display systems and just logistic system so people simply couldn't fly. Is that something you advise on, or deal with as well? Not in the air, but actually on the ground as well. [0:24:11] SC: Well, I think one of the basics of cybersecurity, all CISOs will preach that is stay away from single points of failure. It's not aviation related. It's a single point of failure, and you need to have a plan B. Remember, I think it was Heathrow that shut down for a few days due to an electrical substation. Single point of failure. Very effective details, actually, but not intended like that. Those are basics. In general, whenever I am consulting anybody in aviation, we fall back to the basics. It's basic cyber hygiene. That's not only in aviation, that's in every sector, every industry. Everybody needs to go back to basics. Simple, vulnerability reduction, simply identity management. It's not rocket science. We have all the knowledge. We have all the tools. We can implement it. But somebody has to put the money aside, organize it and say, "This is how we're going to do it." Until then, we are vulnerable. Everybody, not only aviation. Back to basics. Basic cyber hygiene is what we need to focus on for the next couple of years. [0:25:22] GV: Yeah. I think that's very interesting, where people maybe think it's more complicated than it needs to be, quite frankly, to keep on top of this stuff where, even though it's an airport and it's a critical piece of infrastructure in a country, the people actually running the airport, unfortunately, might still be a bit behind when it comes to, as you call out, just basic cyber hygiene. Very interesting. Let's move on to, I know that you've got a lot of thoughts around leadership and culture in this space. I think it's very interesting to cross over here, where the way that the aviation industry operates. Cybersecurity could probably learn a few things. I think the big one here is this idea of just culture, which is juxtaposed with blame culture. I think let's go there and maybe you could help us understand what is just culture? Why has it been an aviation a while? How does that maybe translate over to, or should be translating over to cybersecurity as well? [0:26:17] SC: Very interesting cross-over. I gave a presentation last year at Black Hat about what cyber security teams can learn from aviation just culture. It's actually very simple. Just culture is a culture where you encourage incident reporting without fear of punishment, to enable the organization, to learn, and to improve. Because humans make mistakes. We are human, we make mistakes by default. That is okay, as long as you don't do it intentional. Basically, there's a gray area in that, but this is basically what it is. If I make a hard landing, I make a mistake. Okay, then I report it, so other people can learn. If I am being spoofed with a new system and I see data that I've never seen before on my instruments before, I report it, so everybody can learn. Then, I don't want it to stay inside my company. I want the companies to share. I want the aviation sector to share. Not only sovereign, I need global sharing. That's why we need CII6 to get all this information out there with our friendly allies. Back to just culture, that's basically what it is. We see a lot in large companies, not aviation companies, but maybe also aviation companies like airports, where people are clicking a phishing email and, "Oh, I think that was wrong. I better go home now. Maybe nobody sees it." Then without knowing it, within 17 minutes, your whole network is compromised and infected. If this person would have called their CISO, they might have been able to mitigate and keep it within the house. It's about the culture and the culture goes top-down. It's leadership by example. [0:27:56] GV: I think that's a good way of explaining it. There's a website that some of the audience may know, called Aviation Herald, AV Herald. That's at least that's where I as a layman go to just check up on reported incidents. They get classified, crash, obviously being the worst, and then I think accident and then incident, or something like that. The funny thing is, I've noticed how the airline, again, let's just take British Airways, for example, a lot of things pop up from British Airways, and some people might look at that and go, "Wow, they have so many issues." Actually, I'm much happier seeing that than the airline I never see. I don't know which one to name, but there are certainly airlines that virtually never pop up. That to me is, that's a reporting problem. Actually, there's just safety in reporting effectively. [0:28:44] SC: How often do you see a Chinese or Russian airline pop up, or an airline that is part of any dictatorship? None. It doesn't happen. Because they carefully cherish their ego and their image and their reputation. Of course, let's not forget AV Herald, I think it's a British publication, isn't it? [0:29:00] GV: It could be. Yeah, I'm not actually super sure. But yeah. [0:29:03] SC: Anyway, they are well linked with information into British Airways apparently, which might give you as a reader the wrong idea. Luckily, there is a global international cap statistics to keep it all within proportion. [0:29:14] GV: I mean, we see this in, obviously, cybersecurity. To some degree, we've got, obviously, the Verizon DBIR, which comes out every year. I think the thing there, though, is it's less attributed to specific companies, but at least in the report, it's more about stats. The point is that can only exist because of reporting. Someone in a company has reported the incident, or the breach, or what happened. I think it's fair to say like, we're still way off in cybersecurity in terms of reporting. [0:29:46] SC: Oh, yes. In cybersecurity, I see the traditional blame culture, which discourages reporting of security incidents. It prevents the organization from learning and you're unable to improve your defenses. I see it a lot in Asia as well. Not only in aviation, but blame culture is pretty much standard, especially behind closed doors. There's no learning. There's no wanting to learn. It's all about KPIs and making money. It's often very subtle. It's very difficult to see as an outsider as well, blame culture. Because people are being laid off, being fired on the spot. Then you ask them, why are you fired? You never find out, really, because they don't want to lose face as well. Blame culture is pretty much standard. In aviation, like I said before, aviation safety is written in blood. We learn from accidents. If we don't learn from accidents, then there's more blood going to be needed to write, and that's not good. [0:30:36] GV: Yeah. Obviously, I've worked in Asia-Pacific for a while now, and certainly, in cybersecurity. Was challenging on the basis that companies don't even sometimes, won't help with an issue, because they simply don't even want to talk about the issue. [0:30:49] SC: Exactly. Yeah. Losing face is more dangerous than solving a problem. [0:30:53] GV: Yeah. I mean, obviously props to Verizon. I believe the Verizon DBIR came out with the fact that it had its own pretty major hack at one stage. Instead of sweeping it under the carpet, so to speak, they went completely opposite side and said, "Look, we're going to be the people that hold the flag for reporting." I think that's very interesting. As you call out, aviation has had to, or at least aviation outside of, say, dictator, state, country, sponsored airlines, they have to learn from each other. Otherwise, as you call up, unfortunately, people will literally die. That's why it's been so critical. [0:31:33] SC: How these airlines in authoritarian regimes often learn is by reading our open-source reports and learn from that. they learn from us, they leach. internally, if somebody makes a mistake, that person is simply being fired on the spot. That's how a blame culture solves problems. [0:31:50] GV: Yeah. We're going to move along to, we always have to talk about AI these days. Here, this is not bad. We've gotten well over half an hour without even mentioning AI. Where are you seeing AI? Especially, obviously, we're talking here about cybersecurity, cybersecurity in aviation systems. Is there anything being rolled out here to do with AI in terms of threat detection or anything along those lines? I mean, what are you seeing in that space? [0:32:18] SC: Well, splitting the aviation industry in two parts. One, the airplane and the other one, just simply the rest, the airport, the airlines, which are also just buildings with people and computers and networks and their own vulnerabilities. On the airplane side, I do not see any AI being implemented. From where I can see it, I'm sure Boeing and Airbus and Embraer, they're all working on it, but I do not at the moment see any implementation of it in my airplane systems today. Having said that, on the other side, of course, airports, airlines are working on their own AI applications. For airlines, that is mostly about efficiency, operational efficiency, fuel efficiency. On the other hand, of course, client retention, passenger retention, passenger appreciation, and all that side of the business. As in cyber, I think the same again, for any other industry, we're trying to use AI to threat detection, behavior analysis, threat intelligence processing, automated incident response, same as in every other industry. Again, for my airframe, I don't see anything yet. [0:33:28] GV: Okay. Moving on from say, AI, but 5G. 5G, I believe, is rolling out. Well, is 5G rolling out within the airframes themselves, or is it more just that 5G has a standard, is having effects on, say, instrumentation, or what does 5G do in this case? [0:33:44] SC: I can imagine that engine manufacturers are very happy with it, because with 5G chips in their engines, they can send loads of data way faster. that's all telemetry they need for preventive maintenance, of course. It's very important data. Furthermore, I don't see this in or around my airplane alone. I guess, most of the data when I'm airborne, or all data will not go by 5G, because at 12 kilometers, there's simply no reception. It will go via ground stations. Then it might be further on routed by a 5G, but those are our ground systems. I don't consider that aviation systems at all. Just a ground-based communication system. With all the risks that come with it, because imagine if you can, let's say, you can control all the hardware being used for 5G backdoors, wouldn't that be great? What a great threat service that is. I'm just saying, who or why? [0:34:33] GV: Yeah. I mean, it's widely reported. Obviously, that could be quite a threat. [0:34:37] SC: Unfortunately, still a lot of people that don't understand. Below the radar, it's hybrid warfare. It's not warfare, but it's still hybrid warfare. We need to understand that we are being threatened. We need to understand who is the enemy here. That's where threat intelligence is crucial, and sharing threat intelligence. [0:34:55] GV: Yeah. Moving on from 5G, so we're just hitting the key, emerging technologies in this space. Drones. We can't ignore drones. Let's just talk about those for a second. We're not necessarily talking about military drones. We're very much commercial drones as well, but they're being integrated into controlled airspace these days. I mean, certainly, I found it fascinating in Singapore, I see so many commercial drones now. They're used for surveying. There's one I live near some water and one pops up every morning to survey the water stations or something to that effect. I mean, these things are huge. How is that affecting, especially again, in the cybersecurity lens? What extra threats, or challenges is that adding? [0:35:39] SC: Well, stepping away from cybersecurity and just for aircraft safety, like birds, you don't want drones next to your airplane. Now, anybody can buy a drone for $100, or euros, or pounds or whatever, and fly this thing around. It's amateurs flying this cheap stuff around airplanes that is the real risk. In Singapore, we love our technology. It's widely being implemented for the benefit of the whole society, but it's all controlled. It's very tight control. There's no airport in the world allows drones close by, but how do you check until it's too late? I have quite often, I hear on the radio somebody reports a drone nearby and just some idiot with a camera trying to make a great shot for his Instagram feed, or whatever, but it's not safe and we shouldn't do that. It's more a legal problem, because we need regulations on that. Next to that, we also need tools to punish the people who do. It would be great if we could have a laser gun shooting down illegal drones around my airplane. Preferably automated. That would be great. Problem solved. But we don't have the legal tools for that yet. The legal frames are still in the making, but the next couple of five years, we're going to see a lot of regulations around drones. It's still all very much in the beginning of the development. Then, I'm not even talking about warfare and hybrid warfare drones that are being used for surveillance, intelligence gathering, or just disrupting with GPS jamming and spoofing. Just fly around an airport and jam everything for the couple of hours. ADS-B interference, of course. There's a lot you can do with a drone to create chaos and to disrupt. Disrupting an airport is disrupting the economy very directly. [0:37:24] GV: We're going to move along to more of the training and education side. I mean, I know this is something that you work in a lot. I think you said towards the beginning of the episode, just that a lot of pilots are simply not getting any training when it comes to the cyber side of things. I believe, there is some form of simulator-based cyber training. Could you just speak a bit to that? How realistic is this to actually mimic the problems? Just where does it even start in terms of bringing cyber training into the simulator side of things? I guess, for those who are not super familiar with aviation simulator training, it's always been a huge part of modern flying. You have to do set hours, I believe, on simulators and practice catastrophic situations and this kind of thing. That's to my understanding, or until recently without this lens of, but it could be a cyber-attack. It's just, oh, my engine failed and for pure mechanical reasons, and now you need to deal with that, which is different to my aircraft is under cyber-attack. Yeah, could you just speak a bit to that? [0:38:31] SC: Yeah. You say correctly that simulator training is actually the only way that pilots learn. You need to see, feel and do it. We do a lot of CBT training as well, but that is basically all compliance. You don't learn much from that. That's just not how it works. Not everybody is a visual learner, especially pilots. Since there are a lot of complex procedures, you need to hands-on train these procedures. Only then, you will fully understand what it means, how it works and why the procedure is designed as it is. If we need to train cyber scenarios, or hybrid warfare scenarios, we need to do that in the simulator. That is very obvious. Unfortunately, nobody does that in the world yet. For that reason, I started last year, the Aviation Cyber Academy in Singapore with a curriculum for our masterclass in cybersecurity for pilots, where we start with the basics. Then we talk about airplane threat services. We identify it all. Then we move over to your specific airplane. Then, we do scenario-based training, two hours in the simulator afterwards. Then it gets interesting, because the simulators were not designed to simulate cyber-attacks and hybrid warfare attacks. I need to be very creative in showing the right cues and data for them to understand what's really going on. There's a lot of creativity involved here, but I'm sure that the simulator builders are now working on creating more realistic scenarios in the simulator as well. Yeah, it has to be simulator training. Hybrid warfare scenarios actually have to be recognized and trained as well. Those are actually much easier, because I can simulate, of course, a unverified message coming from an illegal sender and non-verified sender. That's much easier. [0:40:17] GV: What general uptake, or reception have you found? I mean, you're very much on the ground in Singapore doing this training. I mean, are you finding these are pilots coming from other countries to come and do this? Or at the moment, is it more Singapore-based thing? I'm just curious of how the industry is receiving this. [0:40:36] SC: Well, the industry is actually not receiving it at all at the moment. For the same reason I stated in the beginning, that the airline top management does not see cyber yet as a primary business risk. I talk to pilots. They would love to go through the training, because we always feel we need to understand what's going on. Then again, they don't pay the training and you need to have it on your roster, on your schedule. The simulator needs to be reserved. You need to have an instructor. The whole training part of that and the organization part of that needs to be done as well. For now, it's ready to roll and I'm waiting for airlines to show up and tell me that we need this. Because right now, 91% of crew reports that they are concerned about flight safety impacts of not being trained rigorously enough about what's going on here. They just don't understand. I can't blame them, because this is quite complex stuff. [0:41:29] GV: Yeah, that's very interesting. I mean, obviously, I hope as a passenger, as much as anything, that this is taken more seriously by airlines. Yeah. I mean, we're coming up for time a little bit, but I just like to get your take on, I guess, the next, I don't know, this is always a bit of a crystal ball, the next five years, for example, in sort of aviation, cybersecurity. What are some things that maybe you think are very likely to actually advance? Then, maybe what are a couple of things that you would like to advance, but you're not convinced that even within five years they're going to change? [0:42:07] SC: Okay. Well, I'm very much convinced that nation-state cyber warfare will increase, because it's a very cheap and below the threshold way of disrupting your enemies. We're going to see more cyber warfare also affecting aviation. We can see Putin now is getting more bold. He's now blowing up supermarkets even in Europe. No shame at all. It's very difficult to attribute that to him. We will have more hybrid warfare, more nation-state cyber warfare, absolutely, which only makes my point that we need to continue being more resilient and ramping up our security. For that, of course, critical infrastructure, ISACs are absolutely necessary. Not just get all aviation together. That's way too small. We need to have all our critical infrastructure CISOs together, and we need to start sharing today. It's not a luxury. It's a necessity. [0:43:01] GV: Yeah. I mean, I think you've, I guess, touched on it with your cyber simulator training. It's one of these, I guess, chicken and egg problems, where you've just predicted that all the problems are going to get worse. You'd think that there are more opportunities for there to be more, I guess, commercial businesses coming into the space. The way that cybersecurity has an industry exploded over the last 20 years, an explosion of, say, EDR providers and this kind of thing. Do you see there being a version of the next five years where aviation cybersecurity suddenly is a hot thing? I would say, or I'm questioning the incumbents, let's just take CrowdStrike as an example. Could you see a CrowdStrike having an aviation offering, for example, where an EDR sits on a plane, or anything like that? [0:43:51] SC: Well, yes and no. I don't think CrowdStrike is going to do that, because they simply don't have access to the architecture of the airplanes. I would love to say that within five years, I hope Boeing, Airbus, Embraer and all the big names are working very hard on that and can show me at one day a brochure and a diagram saying, "This is how we fix it. This is how we increase our resilience." Very unlikely, they'll give me a call, but I really hope they're working on that. On the other side of aviation, the non-airplane side of aviation, of course, CrowdStrike can do whatever they do and what they're good at doing by creating more cybersecurity and resilience. That part of the aviation sector, I do not find very interesting, because it's the same challenges, like manufacturing the finance, or healthcare. It's just a building with a lot of network and most likely some OT attached to it as well. Which by the way, OT operation technology has their own challenges, but that aside. Yeah, I really hope that there will be more vendors. But as you know as well, 20 years of cybersecurity, a multi-million cyber vendor market, and it's all very sexy with nice tools, but we forget the basics. I am teaching cyber hygiene basic. That's what we keep forgetting, because it doesn't sell. The market is created to create money, not to create security. In general, I see a lot of products on the market that are being sold to people that don't need it, confusing CISOs. Maybe they're inexperienced, because there's also young CISOs. They walk around on these floors of large cybersecurity events and they're being attacked on all sides by vendor. "You need this. You need that. Da, da, da. We can do this. Yes, we can do it." Months later, oh, actually it doesn't fit. No, it cannot connect. No, actually, configuration doesn't work. Yeah, sorry, boss. Big problem. Once it's connected, it's already legacy, because you can't get rid of it anymore. That's a big problem. That's why an airplane, like a Boeing, or an Airbus, it has a lot of third-party hardware and software as well. Connecting all that stuff is a challenge, absolutely. That's why there are standards. Changing these standards, again, talking air rink, changing these standards has a huge impact, because everybody, every vendor, every third party, hard and software provider has to adapt, which costs money, which makes the product more expensive, which makes the airplane more expensive. It's all connected. [0:46:13] GV: Yeah. I think that's a really good call out. We obviously saw the - wasn't cyber related, but it was technology related. We saw the outcome of this in those Boeing 737 MAX crashes, where effectively, technology had changed, but it had changed at a pace that hadn't, for various reasons, cost reasons, etc. Pilots have been trained on that technology change and the outcome was catastrophic, unfortunately. I think what you're getting at is the fact that for anything to change inside an aircraft, we're not talking a lead time of a year. It's like 10 years from start to finish of, especially if we think of, again, let's just go back to the CrowdStrike example for a second, it touched the kernel of Windows, which is in theory why it's able to protect things, but it's also in theory why it's actually got the most risk if it goes wrong, because it can sink the whole system. I think in aircraft, that would obviously be just doubly problematic if you have systems that technically could fail the whole aircraft as well. [0:47:14] SC: Absolutely. Great example. Then next to that, you buy an airframe of 30-40 years. We have the same problem, like the maritime sector. These big container ships, they have been around for 40-50 years, man. Most of them still run on MS-DOS. I tell you, MS-DOS. Talk about cybersecurity and resilience. I mean, hacking in container ship, really. It's not that difficult. [0:47:34] GV: Yeah. Well, maybe we'll need to find ourselves a maritime expert as well to bring on the show at some point, yeah. [0:47:40] SC: Then next to that, we're going to have a lot of extra frameworks, new frameworks, regulation frameworks. They will mature significantly, I think. ICAO will probably set the standards. The standards will probably become mandatory with enforcement mechanisms. Right now, it's all more advisory. But we need to enforce. Because you can imagine, let's say, one country is taking the ICAO standards serious, and the country next to it is not, it's not working. We have to do it all together. Cybersecurity is teamwork. Enforcement is going to be needed. Otherwise, it's not working. Then in Europe, EASA and the FAA, they will also implement, I think, binding cybersecurity requirements for aircraft certification and airline operations. We can't ignore it anymore. We can't afford it. [0:48:25] GV: Yeah. Well, I think that's a great place to leave this today. I mean, I think this has just been a fascinating conversation, and obviously, a lot of knowledge and understanding imparted from you today, sir. I really appreciate you coming on Software Engineering Daily, and I think, I imagine 99% of our audience have learned something new today. Thank you so much for coming on. [0:48:45] SC: My pleasure. Have any questions, find me on LinkedIn, and I'll gladly answer them. [0:48:49] GV: Fantastic. Thank you so much. [END]