In aviation, the bar for security is higher than average

David Callebaut, Chief Information Security Officer (CISO), Brussels Airlines 

Within the aviation sector, cyber security has taken off remarkably in the past decade. The appointment of a Chief Information Security Officer, or CISO for short, at our national aviation pride Brussels Airlines is testament to this. Not that the fight against cybercriminals is neglected in other sectors. Only that the security aspect is literally vital in the aviation industry.  

Brussels Airlines is celebrating its 20th anniversary this year. Today, Belgium's national airline is 100 per cent owned by Deutsche Lufthansa AG. As one of the Lufthansa Group's four network airlines, it connects the European capital from Brussels Airport to more than 85 destinations around the world, including 17 in sub-Saharan Africa. The company employs 3,200 people and operates 40 aircraft.  

For those not yet familiar with the term, what exactly does the role of CISO entail?  

David Callebaut: "As CISO at Brussels Airlines, I have a dual responsibility. On the one hand, locally, at Brussels Airlines itself, I am ultimately responsible for everything to do with information security and cybersecurity. That includes the overall strategy and all concrete projects related to it, as well as monitoring and reporting to local management. On the other hand, I also report on all that to the Lufthansa Group. At Brussels Airlines, in turn, I report to the CIO. I myself also have a background in ICT. I am an IT professional by training and took my first professional steps in the ICT world. But pretty soon I followed my passion for security. And meanwhile, I have been working in various security positions for almost 20 years."  

As CISO, do you also lead your own team that you can fall back on?  

"Yes indeed. At the moment I can count on about five employees working full-time on security, mainly in security analyses and compliance management. In addition, I can always call on colleagues from the Brussels Airlines IT team. And then there is the strong synergy with the Lufthansa Group. It has more than a hundred security profiles, including a number of deep experts. That extra knowledge base is quite handy."  

when it comes to aviation security, there is no margin for risk.

Striving for zero risk  

To what extent are cybercrime and cyberwar really an issue in the aviation sector today?  

Both dangers certainly count as a hot topic within our business, for the simple reason that we play a crucial role in transporting people. If passenger traffic suddenly comes to a halt, we can fortunately fall back on interim solutions. During the pandemic, for instance, many of us learnt to hold meetings remotely, via Microsoft Teams for instance. But these are not permanent, fully-fledged alternatives. We all feel that, whether for work or purely for pleasure, we still need to make that physical move from time to time. If that option falls away, we are in serious trouble. And I don't just mean us as a commercial enterprise, but society as a whole.  

What are the most important or common threats to your organisation?  

I suspect we are not that much different from most other companies, in Belgium or abroad, in this respect. The classics for us too are still phishing , ransomware and DDOS attacks. These common types of threats also pose the greatest risks. Where we do differ from other companies and sectors is in the potential impact such a cyberattack can have. If a car's engine fails, that car will stall and, at worst, create a nasty traffic jam. If an aircraft's engine fails, that's a completely different story. That immediately explains why there is such a strong convergence between safety and security in aviation. Although I should immediately add that today it is absolutely impossible to remotely influence an aircraft engine. The link between the IT systems and the purely operational systems - such as the engines - does not exist today. The technical operation of aircraft is not the domain of the information security team. But at the same time, we are involved parties. We are in charge of IT security so that those technical services can do their work. Or to put it another way, the security of whoever gets on a plane is not in the hands of IT people. In aviation, the physical security aspect invariably takes precedence over information and cyber security. After all, you cannot expect customers to board a plane without being one hundred per cent sure that the aircraft in question is safe. Therefore, when it comes to aviation security, there is no margin for risk. Whereas within, say, an ICT environment, you would allow more risk or at least accept that risk for now, pending a solution.  

Connected world  

Which evolution worries you most today? 

"The increased connectivity. Until a decade or so ago, this was a non-issue: aircraft were not connected to all kinds of networks. So, you couldn't access them remotely either - electronically, I mean. You really had to already be physically present in the aircraft to gain any access to the on-board systems. But the past decade has seen a general trend of connecting everything to everything, and preferably via the internet. The aviation sector, too, is not escaping this compelling trend. Therefore, not only at Brussels Airlines, but also at group level, we devote a lot of attention and energy to securing this new, connected environment. In this way, we ensure that we go along with this evolution in a controlled, well-considered way, which of course also offers a lot of advantages."  

With the war between Russia and Ukraine, cyberwar is taking a prominent role on both sides. Does that pose a risk for Brussels Airlines? 

"We are monitoring the situation at group level. Currently, we do not see any direct threat to our organisation in the conflict."  

You have experience in different sectors. Is the aviation sector more concerned about security? Is the bar higher?  

"I think so. The bar is higher than the average other industry, perhaps with the exception of the financial sector. But then that has been a victim of attacks for a very long time."   

Cyber warfare is also indicative of how security is evolving. It is the eternal battle between attackers and security providers.  

"True. In general, over the course of my career, I have only seen the world become more complex. The complexity of both IT systems and business processes has grown enormously. And ironically, that very complexity helps ensure that the proverbial mouse always manages to slip through the cracks somewhere in one way or another. Whereupon the proverbial cat - i.e. us - has to chase that mouse again and again. But I would be lying if I claimed that this eternal cat-and-mouse game doesn't also keep our work exciting day after day." (laughs) 

Dries Van Damme has more than twenty years of experience as an ICT journalist. He has published in (amongst others) Data News and is the manager of the media office Bureau 44.

Read more on cyberwar