And this issue is seriously coming to the forefront today within our industry. Sure, we know of the damage that hackers, crashed websites, and disrupted navigation systems can cause – not to mention errant drones – but bad computer security isn’t just about what hits the news headlines. Poor resilience in any IT system can have the knock-on effect of infecting core business operations at any level to devastating effect, and the causes can come from many new places – from an infected USB stick plugged into a major maintenance database, to poor staff training.

If you think cyber security in the aviation industry means merely protecting websites and online booking systems from malicious hackers, it’s time to think again. The issue is much broader, in an industry that’s evolving to fully embrace the benefits of going digital, where any stage along the complex maintenance, repair and operations (MRO) supply chain is exposed to potential risk and loss of service. Matthew Simpson, technical director for cyber-resilience and Matthew Price, head of aerospace aftermarket at Atkins, a member of SNC-Lavalin, present the facts and provide a valuable heads-up.

Do you remember the original Jurassic Park film, where the lifelong dream of an eccentric genetic pioneer – to bring dinosaurs back to life – was very quickly destroyed thanks in part to the negligence of a wayward computer programmer? Admittedly, being eaten by dinosaurs is rather an extreme example of what can happen when IT goes wrong, but it nevertheless gets to the heart of the cyber security problem: any IT system, no matter how advanced, clever and complex, will only be as strong as its weakest link.

CYBER SECURITY IN AEROSPACEIt’s time to start tightening the weakest links

Why resilience is a business-critical issueSo, operating in an industry where any aeroplane grounded at an airport beyond its scheduled time incurs cost, it makes plain business sense to take a step back and view the bigger picture and tighten any weak spots. Because resilience is a business-critical issue. And timing is of the essence. While aviation is increasingly embracing the digital revolution – and within the aviation MRO sector there is an undoubtedly a strong pull to embrace digital systems and processes and cast old-fashioned paper systems aside – that means increasingly integrated networks will need to be opened-up for users to access processes and systems. It means that potentially thousands of people along the MRO supply chain will need to have that access, as never before. And this means there will, inevitably, be weak links and exposure to risk like never before, too.

A shift in approach to cyber security That’s why we are now saying to major and minor players along the whole MRO supply chain – be they aircraft manufacturers with a global presence, or a small operation in a regional airport – that there must now be a shift in focus, for businesses of all sizes in the industry, in their approach to cyber security. And we need to start by clarifying exactly what we mean by cyber security and cyber resilience. We’d assert that any system or process should be ‘secure by design’.

That means having a full awareness of your infrastructure and an understanding of the threats your business may face. It means prioritising your operational resilience – otherwise, what kind of business are you left with? It also means fully understanding your risk, implementing the appropriate layers of security, segregating vital systems so there’s no spread of malicious activity, and minimising user privileges so you have as much control as possible over access to your systems. It also means minimising media connectivity – such as errant USB sticks or iPads that aren’t security checked – and preparing for good maintainability and monitoring. Finally, it means robust management of third-party risk. For example, how well-trained are the employees who will be accessing your digital systems? It also means implementing change assurance.

But knowledge is power – and the good news is, knowledgeable help is at hand. Here at Atkins, a member of SNC-Lavalin, we understand that with the huge benefits of new technology, along comes risk, too. Where there’s improved interconnectivity, there’s an increased likelihood of additional involvement from third parties, resulting in larger numbers of access points and potential mistakes.

And we know that without any robust back-up capability, aviation companies will be putting all their eggs in a somewhat precarious basket.

Causes can come from many new places – from an infected USB stick plugged into a major maintenance database, to poor staff training.

Potentially thousands of people along the MRO supply chain will need to have that access, as never before. And this means there will, inevitably, be weak links and exposure to risk like never before, too.

A secure airline industry is a safe one So, there’s a lot to cover. But we have to start somewhere – and there is a willingness to learn across the sector, and a general view that the only way is forward in addressing these issues. We know that a secure airline industry is a safe one. So, where the principle of safety is paramount to the aviation industry and MRO operators within it, the logical conclusion must be that by failing to address emerging cyber security risks linked to digitisation and interconnectivity, you’re effectively putting the entire sector in jeopardy. And while, as things stand, there are no specific cyber requirements mandated by EASA, there is little doubt that regulation and legislation is coming. One of them includes the consultation notice for a proposed amendment to PA 2019-01 on Aircraft Cybersecurity, which if passed, could be enforced by the end of 2019.

Here at Atkins, a member of SNC-Lavalin, we’re already demonstrating our capability in educating the sector, in our role as the go-to partner to help address complex cyber problems. As such, we know from conversations we’ve already had with various MROs that the sector has a generally good awareness of cyber security issues. However, there is limited knowledge when it comes to applying this awareness to their own infrastructure, how to design-out risk in terms of people, process and technology – and also little understanding of the impact a cyber event might have on their operations if malware spreads through the supply chain.

A broader understanding So, what’s needed is a broader understanding of the risks of interconnectivity to, for example, original equipment manufacturers’ IT platforms, a better understanding and awareness of the risk of integrating such platforms and opening them up to multiple users, and a better grasp of managing this kind of risk across supply chains between and across companies and across physical borders.

As an MRO, you also need to increase your understanding of what an impact on operations, such as a fast-spreading malware infection, might looks like. Also, on the horizon, we need to know how to better manage increasing connectivity to the internet of things and other new third-party systems.

We are specialists in cyber security, but our difference is in-depth engineering and sector knowledge: and this is a game-changer in understanding the issues you face. We are leaders in providing a deep knowledge and understanding of what you need to do, and as advocates of cyber resilience we can help you every step of the way. Because tackling this issue, and its various complexities, is not a question of building new IT systems and processes then making security fit in later on: it’s about understanding the new environment in which we’re operating as a sector. It’s about ensuring every touchpoint of your IT systems can demonstrate resilience. It’s about adopting a step-change in your understanding of engineering – and not merely ‘getting in cyber security experts’ to deal with the problems that will, inevitably, arise later on.

Secure by design means fully understanding your risk, implementing layers of security, segregating vital systems, and minimising user privileges so you have as much control as possible over access to your systems.

We know from conversations with MROs that the sector has a generally good awareness of cyber security, but the application seems to be limited.

Matthew Simpson is technical director for cyber resilience at Atkins, a member of SNC-Lavalin, with more than 20 years’ experience of working across system engineering, technical assurance and cyber security. He provides advice to key clients on a variety of topics including transport security, safety system assurance, secure SCADA architecture and the internet of things. Matthew has also previously worked with the UK Government and the academic sector to produce global standards and guidance in the field of cyber security and smart infrastructure.

Matthew Price is head of aerospace aftermarket at Atkins, a member of SNC-Lavalin, responsible for aerospace digital transformation initiatives for the European civil and military aerospace division. Backed by 20 years’ experience, Matthew is a chartered engineer, with a background in aircraft structural design, programme delivery and client management, and has worked for OEMs, Tier 1 suppliers and global engineering consultancies throughout Europe, USA and Australia.

Cyber resilience underpins safety To really tackle this, we’d urge you – from today – to start adopting the mindset that cyber resilience underpins safety. Across the sector, there is now a need for a heightened awareness as to how resilience can be built-in to address the vulnerabilities in both legacy and new systems alike, plus a firm acknowledgement that the proven systems and safety engineering approach to cyber security risk management is the way forward. Why? Because this will serve as your security and safety case evidence: it will inform you as to where your vulnerabilities occur, so you can analyse and address those risks to strengthen the entire chain.

There’s no doubt that the issue of cyber security in the aviation industry will be a transformative one. It has to be – it’s business critical after all. And, by taking the first step towards understanding where you are in the journey, you will have the advantage of understanding the potential impact of any risks to your business operations and your engineering systems a much earlier stage, and so you will be better-positioned to start building up that resilience. And there are many, many factors to start focusing on, much of which depends on what kind of business you are: from managing a skills shortage to relying on licensed technicians, from planning and optimising your resources to dealing with unpredictable and fluctuating workloads, and from adhering to working time policies to simply trying to keep customers happy while aiming to reduce cost and operate more efficiently.

This is a time of great opportunity for our industry, and it’s not too late to start really tackling the cyber resilience in our supply chain issue head-on. As a sector that millions of people rely on, every day – customers, clients, partners, suppliers – it’s our duty as its guardians to protect the end-to-end digital ecosystem at every point. But the digital world is marching on voraciously – and it’s in our DNA to do everything we can to avoid delays. So – the time to act is now.

It’s about understanding the new environment in which we’re operating as a sector.

The digital world is marching on voraciously; the time to act is now.