Aerospace Village - Hacking Aerospace Cybersecurity Regulation
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 374 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/49207 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode21 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
BildschirmfensterBasis <Mathematik>Konfiguration <Informatik>SoundverarbeitungMessage-PassingTermCASE <Informatik>SoftwareschwachstelleBridge <Kommunikationstechnik>HackerFramework <Informatik>Selbst organisierendes SystemMechanismus-Design-TheorieDienst <Informatik>EvoluteGüte der AnpassungAnnulatorImplementierungCybersexExogene VariableBitSchreib-Lese-KopfGesetz <Physik>ComputersicherheitInformationATMPhysikalisches SystemFokalpunktTypentheorieFlächeninhaltDatenmissbrauchOffice-PaketGruppenoperationVerkehrsinformationWeb SiteInformationsmanagementSchlussregelProgrammierumgebungService providerGarbentheorieSiebenUmsetzung <Informatik>TelekommunikationAutorisierungBesprechung/Interview
05:27
CASE <Informatik>Selbst organisierendes SystemSoftwareschwachstelleMessage-PassingCybersexInzidenzalgebraComputersicherheitAggregatzustandDifferentePerspektiveWort <Informatik>SystemaufrufBesprechung/Interview
06:34
GruppenoperationEvolutePhysikalisches SystemProzess <Informatik>MereologieBitComputersicherheitEinsInformationSignalverarbeitungDigitalisierungDivergenz <Vektoranalysis>Treiber <Programm>CybersexPhysikalische TheorieSoftwareDigitalsignalBesprechung/Interview
08:11
DifferenteDigitales ZertifikatKette <Mathematik>Physikalisches SystemIdentitätsverwaltungIntegralGruppenoperationComputersicherheitBesprechung/Interview
09:10
DifferentePunktDigitales ZertifikatAlgorithmische ProgrammierspracheAggregatzustandKoordinatenFramework <Informatik>DefaultProzess <Informatik>Besprechung/Interview
10:36
TermSchnittmengeMultiplikationsoperatorAggregatzustandSelbst organisierendes SystemBereichsschätzungFlächeninhaltHypermediaComputersicherheitFeuchteleitungSoftwareschwachstellePunktSoundverarbeitungMAPBaumechanikPerspektiveGenerator <Informatik>Bridge <Kommunikationstechnik>Flash-SpeicherHilfesystemMereologieCybersexOrdnung <Mathematik>MustererkennungFramework <Informatik>ProgrammierumgebungProzess <Informatik>Quick-SortPhysikalisches SystemSatellitensystemAutomatische HandlungsplanungKoordinatenWort <Informatik>UmwandlungsenthalpieBitHook <Programmierung>StandardabweichungSchlussregelIntegralWeg <Topologie>StrömungsrichtungExpertensystemRechter WinkelHarmonische AnalyseSystemzusammenbruchBesprechung/Interview
18:32
HypermediaGebäude <Mathematik>Umsetzung <Informatik>EindeutigkeitProgrammierumgebungBereichsschätzungComputerspielBildschirmmaskeDesign by ContractPunktOrdnung <Mathematik>MultiplikationsoperatorComputersicherheitInformationDifferenteMaschinenschreibenGrundraumEin-AusgabeDienst <Informatik>Mechanismus-Design-TheorieSoftwaretestGeradeElement <Gruppentheorie>TelekommunikationBildverstehenCybersexUmwandlungsenthalpieFlächeninhaltStrategisches SpielSoftwareentwicklerAnnulatorLuenberger-BeobachterKontingenztafelHilfesystemExpertensystemAutomatische HandlungsplanungMereologieVerkehrsinformationBefehl <Informatik>Güte der AnpassungMomentenproblemBridge <Kommunikationstechnik>InzidenzalgebraWeb-SeiteHackerKontextbezogenes SystemPhysikalisches SystemFormation <Mathematik>GruppenoperationSpeicherabzugService providerDruckverlaufCoxeter-GruppeBildschirmfensterEntscheidungstheorieBesprechung/Interview
26:27
Mechanismus-Design-TheorieSoftwareschwachstelleGebäude <Mathematik>TypentheorieWellenpaketQuick-SortZusammenhängender GraphFlächeninhaltAggregatzustandSignalverarbeitungCybersexPerspektiveProzess <Informatik>EreignishorizontComputersicherheitPunktStrategisches SpielGruppenoperationInformationBitTermExpertensystemRechter WinkelMereologieZahlenbereichZweiBildschirmmaskeAnnulatorSchlüsselverwaltungBridge <Kommunikationstechnik>AntwortfunktionFeuchteleitungSelbst organisierendes SystemGüte der AnpassungSpeicherabzugOpen SourceDifferenteElement <Gruppentheorie>Analytische FortsetzungResultanteZeichenvorratQuellcodeKontingenztafelBaumechanikProgrammierumgebungCASE <Informatik>Endliche ModelltheorieBesprechung/Interview
34:23
PunktDifferenteBitHypermediaAggregatzustandCAN-BusSoftwareschwachstelleTermPerspektiveMereologieProzess <Informatik>ComputersicherheitMAPBus <Informatik>TypentheorieKollaboration <Informatik>Selbst organisierendes SystemWort <Informatik>KoordinatenGebäude <Mathematik>Zirkel <Instrument>Mechanismus-Design-TheorieOrtsoperatorSystemaufrufLokales MinimumInformationBeweistheorieNatürliche ZahlGruppenoperationWeb-SeiteMessage-PassingDeterministischer ProzessGamecontrollerRechter WinkelFunktionalGüte der AnpassungSoftwareStandardabweichungInklusion <Mathematik>SystemzusammenbruchInternationalisierung <Programmierung>Mixed RealityDatensichtgerätBesprechung/Interview
41:41
ComputersicherheitGamecontrollerProgrammverifikationDifferenteVollständigkeitSubstitutionHypermediaCAN-BusPhysikalismusSpeicherabzugBridge <Kommunikationstechnik>AnnulatorGüte der AnpassungKontextbezogenes SystemGebäude <Mathematik>ProgrammierumgebungFormale SpracheSelbst organisierendes SystemOrdnung <Mathematik>WhiteboardQuellcodeBaumechanikPeer-to-Peer-NetzBlockade <Mathematik>InformationMereologieSprachsyntheseTelekommunikationMinkowski-MetrikMultiplikationsoperatorBitDruckverlaufProzess <Informatik>SoftwareMAPRechter WinkelDruckspannungPunktPhysikalisches SystemCybersexKollaboration <Informatik>OrtsoperatorMaschinenschreibenUmsetzung <Informatik>KoordinatenSiebenPerspektiveBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:06
Welcome to the Aerospace Village at DEF CON Safe Mode. My name is Kaitlyn Tricon. I'm the Director of Communications at the Aerospace Village and Vice President at Rock Solutions, a public affairs agency where I lead the firm's cybersecurity practice.
00:20
I am thrilled to be moderating this panel on hacking cybersecurity aerospace regulation. The aerospace industry is highly regulated with a great deal of focus on cybersecurity. Aerospace regulators play a key role in understanding risk and putting in place the legal frameworks in creating rules, regulations, and best practice around good faith research.
00:40
Today's panel will look at how the aerospace industry is approaching cybersecurity regulation and its relationship to good faith hackers and researchers. We will look at how other sectors have approached regulation and partnered with this community to increase resilience and highlight vulnerability. Now I'd like to introduce our esteemed panelists. Nikki, will you kick us off?
01:01
Sure. So my name is Nikki Keeley. I'm the Head of Cybersecurity oversight at the UK Civil Aviation Authority. So I work for the UKCA and as the UK's aviation regulator, we're responsible for overseeing the implementation of cyber requirements in regulation for regulated aviation organizations.
01:21
So that could vary from airlines through to airports, through to air navigation service providers, or even drone operators. And it's really important for us that we have a proportionate and effective approach and that most importantly, we enable aviation to manage their own cyber security risks without compromising aviation safety,
01:40
security or resilience. Thanks. Harley. Hi, I'm Harley Geiger and I'm Director of Public Policy at Rapid7 with offices around the world. I'm in the DC area and I run Rapid7's public policy
02:00
and government engagement activities. I've worked in privacy and cybersecurity technology policy and law for about 10 years and I'm excited to be here. Thanks for having me. Thanks. And Salo. Wow, thanks Kaylin for the invitation. My name is Salo Da Silva. I work for ICAIL.
02:21
ICAIL is the United Nations Agency responsible for the regulatory framework of aviation on a global basis. I'm particular chief of the Global Interoperable Systems Section. It's a weird name, but basically what we do is take care of regulations
02:40
regarding information management, operational and safety critical information management, including the aspects related to cyber safety and resilience. Basically keep the system going no matter the type of problem that may happen coming from our new actors. Thank you.
03:02
Thanks Salo. All right, let's get started. I think it only makes sense to start with where the industry is right now when it comes to aerospace cybersecurity regulation. Nikki, I know that the UK has made significant strides when it comes to building bridges between security researchers and industry and how that helps drive regulation.
03:22
I love if you could kick us off and talk a little bit about that evolution and where the UK is today. Sure, thanks. I don't know about significant strides. I think we are starting to build the bridge, which is positive. So in terms of lessons learned, I'd say the first hurdle that we really had to overcome
03:41
was this misconception that all a regular later wants to do is find people, which is absolutely not the case. You know, at the end of the day, we're all here for the same reason. We know that our industry and good faith hackers ultimately want to make aviation safer and more resilient. So I think it's about breaking down that misconception. I think the second hurdle is around
04:03
how do you actually report? What mechanisms do you give individuals and good faith hackers to actually report things? And we're lucky in one sense in Europe, there's a regulation which is focused on what we call mandatory and voluntary occurrence reporting. So that's all about making sure
04:21
that safety information is reported, that it's collected, protected, analyzed, so that appropriate safety action can be taken. And where there's a cyber vulnerability or a cyber incident, and that would impact on those safety critical environments, then we believe that it's really important that that information should be reported and acted on.
04:42
And for organizations who aren't in scope of that regulation that I just mentioned, then we also have a whistleblowing option available in the UK under the Public Interest Disclosure Act. So that's all available on our website. So I think the starting to build that bridge was making sure that it was clear that we want people to get into contact.
05:00
It's not about taking punitive action, it's about starting that dialogue and conversation, and then showing that there's a mechanism for them to be able to do that and making those options available for contact. So I think that's really important for us. That's great, Nikki. Has there been any significant challenges in communicating that message to the community?
05:22
Do you think that's where the hurdle lies? Yeah, I think it's, all regulators are different. I can only talk about aviation, but different regulators might have different approaches. And I think it has been about how do you get that message out there? And I think that's been developing slowly through our relationship with industry.
05:42
We've started to build a really positive relationship with our industry. We've tried to make it clear that we want them to engage with us and collaborate with us, and that it's not the case of never having a cyber incident. We expect that organizations will have cyber incidents and will find vulnerabilities.
06:02
And it's more about following what we call just culture in the safety sense, and reporting those so that they can be fixed. Thanks. And just keeping with laying the landscape out, Salo, from a global perspective, how do you think states are dealing with the challenge
06:20
of aerospace cybersecurity regulation? You know, what are some of the greatest challenges you think the industry faces? Thanks, Kaylee. You mentioned actually two important words here, that regulations and a challenge. And I would put a little bit of spice and add one more that is interoperability,
06:42
that for us in the aviation industry is actually a bigger problem than just cybersecurity regulation. In theory, it's really, how can I say, it's a problem of divergence. So when we talk about unity in aviation in ICAO for the future,
07:01
we need to consider the impact of this digital transformation that is happening and that we are living right now, this digital evolution. And it's something that comes because we have several economic drivers that are basically encouraging this digital transformation of the business.
07:23
So this will happen if we want or not. And we have to be prepared for that. We have to have this increased digital data and information exchange. We know that this is necessary to guarantee not only safety, but also to improve
07:41
the efficiency of the system. And of course, we know that everybody's taking actions to secure their part of the system. But as I mentioned before, it's a problem of divergence. So one example of a divergent digital process,
08:01
we can say that, for example, manufacturers who needed to upload software critical parts onto their craft, they are doing everything they should do to secure, for example, the supply chain and to guarantee that they have a certified identity
08:23
and the integrity of the data being uploaded. So if you, for example, want to connect to the cockpit of the aircraft, you will do the same thing. You'll take the actions to connect on a secure way. If you want to connect the back of the airplane,
08:40
also you're gonna do things to connect to the back using a different certificate system. So if you are one manufacturer of Avionics, for example, and if you are using different ways to connect it to the supply chain or to the equipment's own board. We know, for example, also airports.
09:02
Airports are also establishing their system to guarantee the security of their operation. So basically, you have everybody doing what they think it's correct, what they need to do. So we are going to a point that we are finding ourselves
09:22
with thousands of different certificates floating around the ecosystem with little or sometimes completely no compatibility. And that's when the issue of compatibility or interoperability comes. And we believe that these certificates, they, like other things, they have to be maintained
09:45
along hundreds of different process and procedures. And the big challenge is to way to create a convergence on all these important activities that are being taken nowadays, I don't wanna say in an uncoordinated way,
10:03
but in a very loose way. So the challenge for the states right now is to have a global harmonized regulations through coordination and cooperation. The coordination, cooperation to face this challenge to have a global harmonized regulatory framework
10:22
is really necessary because aviation is international by default. Airplanes do not recognize borders. I keep saying that we have checkpoints on the ground or we don't have checkpoints in the air. So cooperation and coordination to develop a harmonized set of regulations is a big challenge
10:40
that states are facing right now. And that's a really interesting point is that challenge of it being so global and each kind of state having its own rules regulations, that framework that you're talking about, are we currently in a process where that's being discussed and worked on? Or is it still in the stages of,
11:01
it would be a nice to have and we need to work on it. From an international perspective, the International Civil Aviation Organization is working on that with the help, obviously from the states, because that's where the expertise relies. And we have Nikki here with us, who is helping us a lot on that subject.
11:22
But this effort is already ongoing. It's not an easy effort. As you mentioned, we have a challenge because we have national security requirements. We have national culture. We have national ways of trust. And when we have to expand this to a global environment,
11:43
it keep us awake, but we are sure that cooperation and coordination with the help from experts from the states, like Nikki, who is here with us, we will face and we will win that challenge. We'll get there Sal. We'll get there eventually.
12:01
Do you have anything to add to that, just from your perspective? Yeah, I think Sal raises a really good point. And sometimes it's easy to forget this. I did cyber for an operator back in the day before I joined the regulator. And sometimes you can think of it just in terms of that one organization,
12:22
but when you're having to talk about regulations and international frameworks and standards, and you have to think about what's proportionate and appropriate, not just for me as the state, all of the airports of all sizes that we regulate. But then if you look at it from Sal's perspective, at an international level, for all the states,
12:41
all the organizations, all the aviation entities, it does become a challenge, but I think the work is well underway. So I'm hopeful. That's great. Thank you both. And I'm just turning to Harley. We've talked a little bit about building bridges between the security researcher community and regulators
13:02
in order to help the disclosure process, help things become more transparent and safe and effective. Can you talk a little bit just about the current disclosure process and environment for security researchers when it comes to this in this particular industry? Sure. So overall, the security vulnerability disclosure environment
13:28
is greatly improving. There's a lot more adoption of coordinated vulnerability disclosure within government agencies for themselves, recognition that it is valuable in industries
13:40
in the different sectors that those agencies regulate. And it is becoming more accepted as a basic cybersecurity practice, both in the United States, and I would say internationally. And two great examples of agencies that are doing this are the FDA and the Department of Justice, CISA within DHS.
14:01
Within the aviation industry, our experience is that it is not yet quite normalized. It is still somewhat difficult. And there is a, I think, in part because it is such a highly regulated industry. And because the potential negative effects on the industry of undermining passenger confidence
14:21
can be so negative, so catastrophic. And unfortunately, we have a media environment that when it comes to anything related to aircraft safety, tends to sensationalize it. But in part for these reasons, our experience is that aviation has a ways to catch up.
14:42
And it's unfortunate because there is a great deal of innovation that is happening in aviation right now. And the systems that are put in place in the sky and satellites, a lot of them stay in place for many years, as long as a generation. And so you have rapid innovation where security issues might be missed.
15:01
And then you have equipment that stays in operation for a very long time. And then you have legacy issues with those security problems. So we think that this is an area where security research can really play a valuable role, but it is important to integrate security researchers and cybersecurity community into the manufacturer design.
15:23
And once they're deployed, the vulnerability disclosure processes. Thanks. You brought up a point about just sensationalization and how the media can catch wind or certain entities catch wind
15:42
and kind of make this out to be something bigger than it actually is to kind of get the headlines and get the hype. Do you think that that is a barrier when it comes to wanting to disclose? Or do you think that there's kind of two tracks where people want the flash and they want the publicity,
16:00
so they do kind of make it a little bit more sensationalized than it is? Or do you think there's also that I don't wanna say anything because I don't want that to happen. I don't want my words to be misconstrued and turned into this sensationalized, like, oh, you can get into the TV on the plane and it's gonna crash down.
16:22
So our impression is that it's both. It depends on the individual researcher, their risk tolerance and sort of what their goals are. If there is a legitimate vulnerability in aircraft, I don't think that sensationalism is really necessary in order to get headlines.
16:41
And if you're just disclosing it for flash purposes and credibility purposes, then question whether you're disclosing it for the right reasons. That doesn't necessarily mean that it's not a security vulnerability and that there's not a tension that should be paid to it, but it is really not the way to build trust. And I think it is also very much a barrier to engagement with the industry
17:02
and the agencies with the security research community. So I think that there's work that has to be done on both sides. I will say that I don't wanna let the agencies off the hook and just say that sensationalism is the issue. I mentioned the FDA, DOJ and other agencies earlier. Those agencies have made great strides in the past couple of years
17:21
to engage the security research community, including attending DEFCON and just working within those agencies areas of jurisdiction like FDA for medical devices and DOJ, they're being more transparent on things like coordinated disclosure, prosecutions and research for protection under DMCA. Shout out to Leonard Bailey and Suzanne Schwartz,
17:42
but FAA and the aviation industry have a ways to go. I know that there's good work on cybersecurity being done at FAA, like by Susan Kaebler, but they're not really being clear, in our opinion, publicly clear that they care a lot about cybersecurity and that they wanna build relationships
18:01
with the cybersecurity community. It's just not clear. Like it's quite difficult right now to find much cybersecurity specific guidance on aviation systems from FAA, both unmanned aircraft and unmanned aircraft. Unmanned aircraft being a huge area of concern since that is consumer level devices.
18:21
And there's even less information out about how security researchers can work with these agencies. So our advice is twofold. One, for researchers to work to gain understanding about the unique context and pressures that the aviation industry is under, to be respectful, manage the media, to avoid sensationalism and work to build trust.
18:42
But our advice also to the FAA is to encourage the aviation community to build bridges with the security community and to actually facilitate that engagement. Make clear that you are making an effort to bring in experts from the cybersecurity community, not just the aviation industry, for input on their guidance and their activities.
19:01
Harley, thank you so much for letting me make a great point just about building trust. And at the Aerospace Village, that is our core mission is to build the bridges of trust between the security researcher community and the aerospace industry itself to kind of formulate those relationships so that we can have these conversations.
19:20
And so I'd like to kind of spend some time talking with you all about what we can do to forge those relationships in order to build that trust. You know, Nikki, I know in a prior conversation, we had talked about how in the UK, industry has acted as a conduit between good faith, the hacking community and the regulators.
19:42
And I wonder if you think this approach is sustainable, or do you hope that that relationship evolves to where that community feels like they can go straight to the regulator? Because right now it seems like if you have that conduit, it's working. But I wonder if you hope that it evolves so that they go directly to you.
20:02
Yeah, that's a really good point, Kaylin. And I think Harley's raised some really good points as well. And at the moment, we have had reports come to us largely through researchers or cyber specialists that have been asked by our industry to perform specific testing. And that's great because that shows
20:21
that we're building that relationship with our industry, that they trust us and wanna report to us about issues like that. But going forward, I'd absolutely love to have the research community feel like they can get in touch with us. And I think importantly, and Harley, you mentioned customer confidence and passenger confidence,
20:42
which I think is so important. And I think the media and sensationalism element doesn't help. And I have to admit that as a safety regulator, we do get nervous. When it's safety critical systems, we do get nervous. So I think it's about how the reporting is done and how that engagement works.
21:01
But for me, my absolute perfect scenario would be to have early engagement with researchers. Like, when you're planning on what research you wanna be doing, having a good conversation then, because sometimes there are aviation contextual elements that might be helpful for the researcher to know about,
21:20
because it might impact how they decide they want to do that research even. There's an air navigation service provider guy that I talk to, and he always goes, well, I'm thinking that's not an issue because I can just look out the window. So sometimes there are non-technical but aviation contextual elements that could be helpful in that research. So I think earlier the better,
21:41
and it'd be great to be part of that discussion about focusing on areas that need more research because either industry aren't able to do it themselves or we aren't able to do that, and we need that research community to help with that. But to have those good conversations early on between the operators and the manufacturers and ourselves and the researchers,
22:01
that that can be kind of well planned. I was just thinking, so the Oxford University published a really great research paper on pilot reactions to hacked avionics, and had a great conversation with the researchers afterwards. And they were talking about ideas for the next research paper. And it's something we'd love to get involved in
22:22
and help support and see how we can, at the end of it, end up with a safer aviation environment. So I think that would be great. Nikki, I'm so glad you brought up that talk as it is going to be featured, or that research is going to be featured in the Aerospace Village. So if you are interested,
22:41
there will be a discussion and a presentation on that. So thank you for the plug. That's great. Salo, I do know that, and Pete Cooper tipped me off to this, that IKO has released a cybersecurity strategy. And in there, there's a line about security researchers and how you'll work together.
23:00
And just kind of curious to your thoughts about how that will work and kind of what's being done to bring that to life. Thanks, Kaylee. And just before addressing that point, it's a very good, provocative question, actually. And I'm a researcher myself, so I like that point because I play on both sides.
23:22
But just to add one point that Harley mentioned before, I think sometimes we don't have much information nowadays about aviation and the cyber aspects related to aviation, because lots of the concepts and decisions are still to be made. There are lots of ongoing developments right now,
23:40
lots of, let's call, like we call in IKO, some uncertainties. And sometimes it's bad not to spread some information that's not mature to the community because may create lots of confusions. So we try to spread the information. I'm not trying to defend FAA. I'm just saying that sometimes
24:02
we do not spread the information just to avoid the creation of a situation that may actually not be helpful to our system. But coming back to what you said, and I mentioned to you that it's a very provocative question, and I can, honestly, I hope I can be short in my answer,
24:22
although I really think that this would be the specific discussion. When I talk about research and trust, it's a specific discussion that needs to start, that needs to have. And I would start just making a small statement or what you call an observation
24:40
on how, and I think Nick mentioned that point or you mentioned too, and how trust affects that relationship between different stakeholders, because this is really important to be aware. And we see trust like a form of faith in the outcome of another's actions.
25:02
So we have to think about that. Trust exists in a context of a kind of imperfect knowledge but not mature, imperfect knowledge, and also thinking about a possible future contingency. And I said, it is a form of belief
25:23
despite uncertainties. That's how we see trust. And also since the beginning of the century, but in all modern society, trust has been conceived as a mechanism that will help us to reduce the bureaucracy, the complexity, and enhance obviously communications
25:42
between or among different stakeholders. And also we can use the trust to reduce the need of a very strict regulation like a contract, for example. So in the international aviation,
26:04
there is a very sensitive ecosystem. Aviation, it goes through the headlines. Aviation, the media does not forgive us. The small incident goes to the first page, goes to any media headline.
26:23
So we have to be conscious that the ecosystem is really sensitive to that. And we see in aviation from an international perspective, the human element of it is at the core of cybersecurity.
26:43
It is critically important for the international aviation community that obviously the civilization sector increases the number of personnel that is qualified and knowledgeable in both, and Harley correctly mentioned, that's not only aviation,
27:01
but also aviation and cybersecurity. And this is a new era that is coming out. For example, I have to be honest, I'm 36 years in aviation, so I know a lot about aviation. I know a lot about aviation, but the last five years, that's when I start learning about cybersecurity actually. So I can't consider myself a cybersecurity expert. No, I cannot.
27:20
I can consider myself an aviation expert for sure, but not a cyber. And we have to have disqualified people in aviation and cybersecurity. And this obviously you have different process to achieve that through recruitment, through education, training. But one significant way to advance is to research.
27:44
Research is very important. And that's why I decided to go back to the research community. And I've been doing research in these states. And as such, as part of the IKEA strategy, as part of the international strategy, we, the International Civil Aviation Organization, we encourage all these states
28:01
to set up the appropriate mechanisms for cooperation with what we call the good faith, the good faith research, which is basically the research activity that's carried out in an environment that is appropriate and is designed to avoid affecting what we,
28:20
for us as a part of all that is safe, the security, and like we are seeing now, there's the continuity of operations. So I can encourage the states to do that approach. But obviously, again, we go back to the aspects of trust. They are different in different societies. There is different ways of cooperation.
28:40
So we have to encourage and help the states to do that because at least from this area that we see nowadays, cyber security research is the one who allow us to advance faster and achieve the results that we want to keep safety and continuity of operations as we have been doing for the last 100 years.
29:03
Thanks, I think that's a great answer. And also gives me a lot to think about too, just in terms of how, the point about everybody thinks about trust differently in different communities. And so, when we say that, oh, it's important to build trust, what does that actually mean to the different stakeholders and the different groups?
29:21
Harley, I'd be interested to get your thoughts on this as we talk about what needs to happen and where we need to go. From your perspective, what are some things that the aviation industry can do to kind of build that bridge and that trust? So first of all,
29:41
I think the aviation industry, there's a number of things, but focusing just on the relationship with security researchers. Mentioned a few things before, but it would really be helpful to have guidance for researchers on vulnerability disclosure. And this can come in the form, perhaps ideally in the form of model guidance
30:01
from the FAA. Essentially something that tells people what the FAA wants them to do in a situation where they have a vulnerability to disclose. Where, what is the mechanism for the FAA to know about a vulnerability since it is just the FAA that can decide whether a vulnerability is safety critical.
30:21
And unfortunately there's the alphabet soup of agencies in the United States kind of makes understanding what the agency roles are a bit difficult, right? So FAA is safety critical features in aviation, but CISA and DHS is the lead cybersecurity agency.
30:41
So where do researchers go if they're trying to disclose? Is it both? This is not something that researchers who are focused on technical subjects and not necessarily on managing government bureaucracy should have to try to figure out on their own. There should be clear public guidance about that. And FAA in particular can play a great role in leading the charge on distributing that type of guidance
31:04
and encouraging industry stakeholders to do it as well. A note of caution though for the industry as well as for the FAA is that there may be an impulse to say, well, aviation is special because there's safety components. Well, true, but that also exists for vehicles.
31:21
It exists for medical devices. This has been done before. It's not going to be viewed by researchers as being so special that they would willingly submit to a process that it's completely locked down, right? So if you are looking at having a vulnerability disclosure process and having it completely under NDA
31:41
and restricting the ability of researchers to do anything with their research or to disclose in the event of a disagreement and so forth, that could very well backfire. I think the research is gonna happen sort of regardless. Many of these components can be purchased on the secondhand market. Certainly when it comes for unmanned aircrafts, those are increasingly easy to purchase.
32:04
And so the research is going to happen. The key is gonna be building an engagement that both sides can live with, not one that locks down researchers and then violates the trust that you're supposed to be trying to build in the first place. So I think you bring up a really good point about the secondhand market and the research is going to happen
32:22
with or without the industry. And I wonder if, from my perspective, I feel like that should change and there should be this, well, we don't want you going to get older equipment or secondhand equipment that's already been used. We want you to get the stuff before it's being used
32:41
to identify what challenges or problems, vulnerabilities lie within. And I wonder, from both your perspective, where do you think that barrier comes from? And then from Nikki or Salah's perspective, why isn't industry or regulators approving,
33:00
oh yeah, we want you to take a look at these components before they get put into use. And I wonder if that's back to Salah's earlier point of digital transformation. It happened ahead of security, it appears, in a lot of cases across many industries, but now we're trying to play that catch up. But is it a fear that, oh, we've been using this stuff
33:23
and we don't wanna know what's vulnerable? And so I'd love to get all three of your perspectives on what you think needs to happen to kind of stop that, oh, we have to go somewhere else besides the source to get the information to do the research. So Kaylin, just one thing I think
33:42
that is maybe important to note here. So ICAO have published a cyber security strategy, which was published fairly recently. Salah probably knows this better than I do. But one of the things that's clearly called out in there is that states should be enabling mechanisms so that good faith researchers can collaborate.
34:04
So ICAO have recognized the importance of that. Hopefully more states will be recognizing the importance of that. I mean, Harley, I get your point. Sometimes it is confusing and it's not always clear who you're supposed to report what to. But I think it's, hopefully that's something that is a quick win that many states
34:22
can implement fairly easily to start kind of building at least the mechanisms we're reporting in. So just my two cents on that one. Hopefully that's something we can move forward. So I don't wanna diminish the fine work of ICAO and others in producing those types of guidance.
34:40
I mean, I guess part of the point is that states should implement that guidance. Yeah, totally agree, totally agree. Yeah, I know that Harley, you have a good point. And I wanna say from a global perspective, we cannot enforce. We have to encourage the states to take actions and help them to take the necessary actions.
35:03
That's what the internationalization does. But I may have a different perspective from you when we talk about cooperation and collaboration at a global level. As I'm saying, I'm a researcher myself. And I see mainly in Europe,
35:21
a lot of cooperation going on, a lot of coordination. I participate every year in some what we call innovation days in Europe, where we put all the research community together and we discuss several subjects. And last year, I was there to talk about exactly this subject.
35:40
And I see the community very engaged on that. I can't specify to you now to the community how this happens all over the world, state by state, because again, there are some regional difference, there are some national difference, there are some different ways to produce regulation
36:01
and to deal with the research community. But from a global perspective, I can tell you that the cooperation is ongoing. Obviously, sometimes there are some, although you may not agree with the, that aviation is a special industry, but I keep saying the same thing
36:21
that thousands of people die on car accidents every day. And nobody knows and nobody care. If you have one aircraft who crashes for a small thing that could be and kill 50 people, it will be on the first page of any newspaper. It will be on the headlines of any television channel.
36:42
So that's what we call aviation is a special industry because we are doing something that goes against the nature, right? We are not made to fly, okay? We are not made to fly and we fly and we fly. We are doing something against the nature. So this call attention of the community
37:01
because we are doing something that is special. We are flying and we are not made to fly. So that's call attention. So sometimes in the aviation industry, we try to be very conservative in our approaches just to avoid people. I will use kelling as an example. I don't want kelling going, or hardly,
37:21
I don't want you guys going to the airport thinking, oh my gosh, am I going to arrive to my destination today or not? We don't want you to think about that. I want you to go to the airport like you go today. You go there, say the maximum you award is, my flight's gonna be 30 minutes late,
37:42
10 minutes late, one hour late, but you never think about the safety of flight. You never think about that because you know that our industry has high level of safety and it's very conservative, I have to be honest with you. And we are evolving, we are improving this, but we are very conservative because of the attention
38:02
that the industry attracts from the media when something goes wrong. But I think I see the research community coming very, very closer to the aviation. I stakeholders in producing very good material and I always give the example of Europe,
38:21
although I'm not a European, but I always give the example of Europe because I can see the cooperation going there and I'm quite happy with the scenario that I see there in terms of cooperation, industry and research community. Just to clarify, so the comment about aviation not being special,
38:41
that was more from the researcher's perspective on whether they're going to perform the research or not. I absolutely agree that the way the media handles safety issues with aviation is different from things like cars, like vehicles. And that is something that I think is important for researchers in particular to consider
39:01
as they're conducting their research and I think it requires special outreach from both the researcher as well as whoever's facilitating the disclosure, whether it's FAA or CISA to help manage the media to avoid unnecessary sensationalism. And on the collaboration point,
39:21
I don't wanna sound all doom and gloom. Remember, I opened with saying that I do think it is changing. It is, it is changing and it's changing in a lot of different industries, aviation included. The fact that we have an aerospace village at DEFCON is proof positive of that. It's just, there is a sense that it is lagging behind in some other industries, I do think.
39:41
Medical devices being a really good example. But it is happening, the collaboration is increasing and I do think that that's very positive. And Harley, I know that within the, I believe the last year, your organization has worked with the aviation industry and the aerospace industry on a disclosure.
40:00
And so I'd be interested just to get your perspective on that process and if it was what you expected or if it was better than you expected or just kind of talk us through that process because I do think it gives a good picture of where things stand now and hopefully where they'll go. Okay. Well, so it's a happy story.
40:22
It's a positive ending. And ultimately, vulnerability disclosure ought to be a positive thing. It ought to be a, hey, an independent genius found a security flaw and worked with the industry and worked with regulators and now it's fixed and everybody's safer. That's the ideal scenario.
40:41
And ultimately, that's how it went for us. One of our brilliant researchers, Patrick Kiley, who is also a pilot, discovered a flaw in CAN bus. So of course, that's the network standard that enables control over vehicle launches. And he demonstrated that it was possible to send false messages through CAN bus
41:02
that could, among other things, display incorrect information to the pilots such as compass and altitude and engine data. And that can have a serious impact. So Rapid7 worked for about a year to coordinate the vulnerability disclosure with government agencies as well as the industry.
41:20
There wasn't like a single manufacturer whose CAN bus is used so widely. And it involved a lot of collaboration with the FAA, with CISA and the aviation ISAC and as I mentioned, with the media. And honestly, our experience was a bit mixed. Initially, the ISAC and the FAA
41:42
were inclined to dismiss the CAN bus flaw because to exploit it required some level of physical access to the craft's wiring. But that could be done, for example, by compromising an existing device on the craft. But the ISAC and the FAA had argued
42:00
that their physical security controls around aircraft prevented this from ever happening. And from our perspective, this was us learning about this and learning more about the unique other controls that are around aircraft, but also deciding that they were right that physical controls reduce the risk, but that physical controls alone
42:20
were not a complete substitute for secure network design and that relying just on physical security was unwise. And unfortunately, to be real frank, at least in the early days, it felt like the priority was avoiding bad pressure with the industry. On the other hand, we found CISA within DHS to be excellent facilitators
42:41
of the coordinated disclosure process. And they actually went out of their way to independently verify Rapid7's findings and to put out their own advisory on the CAN bus flaw. And this lent additional credibility to the seriousness of our research, which was ultimately helpful in getting buy-in from the industry, from the ISAC, from FAA.
43:01
And importantly, Rapid7, we are also very responsible as researchers. We worked privately with these entities and worked under embargo with the media long before going public in order to put the findings into context and to note that the risk was reduced because of physical security controls,
43:21
to avoid sensationalism, and so that we could go out publicly when there was a greater understanding of what exactly the issue was and what mitigations were possible. And we recommend that researchers take a similarly cautious approach. And so in the end, after about a year of verification and coordination,
43:41
the flaw was disclosed publicly in a white paper. There was not a ton of hype in the media, although it was acknowledged in the media. And we think it was ultimately a win for collaboration, coordinated disclosure, and the value of security research in avionics systems. Thanks, Harley, for walking us through that
44:01
and in your experience. I am glad that we were able to end it on a happy note of success. Coming from, I'm a media communications person, so I do know how hard it is in the cybersecurity space especially. It's hard to get the stakeholders at an organization
44:22
to get on board with talking to the media and doing things like that. And then that only helps to build trust and there's a great core of cybersecurity journalists out there who truly wanna get the story right and they wanna get the facts out there and they're not about sensationalism. And so I do think that having that community
44:41
is going to help this process in a lot more ways than once. I'm glad that you brought it up because I do think there are trusted media advocates out there that wanna get it right because they wanna see this happen more. They wanna see the communities working together, research being disclosed and then acted on. And so I'm really happy to hear about your process
45:02
and the success that you guys had at Rapid7. We're running up a little bit on our allotted time. So I just wanna make sure that each of you have a few minutes to say any final parting thoughts. And again, just thank you so much for taking the time. It's been just a pleasure speaking with you.
45:22
On my own, legs first. Thanks, I was just gonna say, Harley, that's such a great example of Rapid7's research and your own research in such a positive outcome. And I think, hopefully in future, it won't take a year. Hopefully in future, people on both sides
45:40
will be more aware of the context and the environment and the requirements of the situation so that those disclosures can happen faster and you can have an overall positive experience, not just like partially positive. But no, that sounds like really, really great work. And I just wanna say thank you to the Aerospace Village for having this panel today.
46:01
I think it's really positive. And I'd also like to thank the good faith researchers out there. I think that their work is really, really important. You know, we do need it. The aviation industry needs it. And the only ask that I have is that they don't give up on building those bridges and they do reach out and they do try to get in touch.
46:21
Because I know, you know, we as a regulator really do wanna have those conversations. So thank you. Just like to thank you for the opportunity to be here with you guys. I really appreciate that. And we encourage the research community to come closer and closer to the regulators, to the
46:43
ethnic manufacturers and the aircraft manufacturers. Because they all need the work the research community does. For example, in IKEA, we also need, the only difference that papers presented to IKEA most of the time, they are not scientific papers. They are more technical papers.
47:01
So you have to adequate the language because the communities are very broad community that sometimes they will not get if you go on the scientific language. So I really encourage anybody to come to us and present whatever research you're doing.
47:21
We are always open to receive information from different sources and we really appreciate that. And we need that. As I said, I'm a researcher by myself and I really appreciate when I have to cooperate with my peers in the academia and translate what they are saying into international civilization language and put to the community to be discussed.
47:42
I really appreciate it. Thank you for the opportunity again. And they kind of said it all. So at the risk of repeating, but thank you very much for having us on the panel. Thanks for hosting the Aerospace Village at all
48:00
and DEF CON. Thanks for working so hard to build bridges between these different communities. Also thank you to the security researchers for the work that they're doing. The aviation industry for slowly changing, for changing and accepting this community. I know that it's painful and they're not always easiest community to deal with. But, and I guess one last thing I suppose,
48:23
it's kind of poignant that we're doing this remotely and that everybody's under a lot of stress and probably missing this annual gathering of such a unique and colorful community. So just much love to that community and stay safe. Thank you all so much.
48:40
And yes, I hope to Harley's point that next year or the year after we can do this panel again and we can be in person and I can meet all of you. But thanks again from the Aerospace Village. We so appreciate your time and your insights and just have a great rest of your day. Thanks.