With the rise of the internet and the increasing dependence of our society and economy on communication technologies, cyber security has become critical issue for all types of businesses. In just two decades, various industries were confronted with fundamentally new types of threats, threat actors and dynamics. This talk first addresses the peculiarities of the cyber security field and what the software industry had to painfully learn in the past decades in order to adapt to these new threats. To understand the cyber landscape and how it affects aviation we classify threat actors and explain global developments that critically impact the security (such as interdisciplinary, complexity, miniaturization, diversity of the crowd, price erosion, dynamics of the security community, …). Based on the realization that cyber security is a complex adaptive system (CAS), rather than a simple technological issue, we highlight fundamental properties of a CAS that help us understand future threats, design effective security, and to identify ineffective security approaches. In part two the talk examines how the aviation industry and authorities handled safety and security issues in the past 100 years – and challenges the applicability of these processes to address current and future cyber threats. We show how previously secure and isolated aviation systems become critically exposed and identify security assumptions that are prone to fail in the present cyber landscape. The talk concludes with key lessens learned by other industries and how these can be applied to the aviation sector. Recommendations on the organizational, system design, and technical level are given in the hope to create awareness and avoid preventable issues with cyber security in aviation. For many of the challenges solutions already exist – let’s get them implement before they get exploited.
September 7, 2015, Stefan Frei