Blog: Aviation Cyber Security
As a pilot you will be all too aware of how important an electronic flight bag (EFB) is to you and your role. It’s probably critical to your performance calculations, your roster, pax lists and plenty more. It’s one thing if it’s not working, but have you ever stopped to consider what could happen if it was to fall into the wrong hands or be misused?
You don’t just have to misplace an EFB for it to become a problem. What if someone else got access to it either by using it whilst you weren’t paying attention, perhaps in a hotel lounge, hotel room or coffee shop. Or if it was stolen. Perhaps worse if a hacker remotely accessed it.
Those safety critical perf calculations are suddenly brought in to question. Was your FLEX/derate calculation correct? Is Vr correct? Are you heading for a tailstrike or runway excursion?
You may have passenger information on the EFB, approach charts, tech logs, defects and more. All of these can be sensitive if tampered with or misused.
Whilst your airline will take steps to help keep your portable EFB secure, you are part of the cyber security equation too.
Here are 6 steps that you can take to help ensure an uneventful flight.
Lock that screen
Whilst most tablet and laptop based EFBs will lock their screens automatically after a period of time, if you leave it unattended without locking it, anyone can tamper with it
It’s so easy to forget as you quickly pop to the bathroom, or hop over to the buffet for your final croissant and someone has unfettered access for enough time to compromise it?
Set a passcode on your device and a strong one at that. Four digits isn’t enough and neither is your birthday. A minimum of 8 digits will support biometric (fingerprint / face id) authentication rather than undermine it.
And when you leave your tablet, consciously lock it. Even better, just don’t leave it unattended, even when locked.
Out of sight, out of mind? ‘I didn’t let the EFB out of my sight, I promise!’. Just because you’ve not stopped looking at it, doesn’t mean someone else isn’t looking too. Sitting in a coffee shop running over pre-flight calculations with a ‘nosey Nancy’ shoulder surfing on the table behind you can allow for a data leakage. Now imagine if this data fell into the hands of someone wanting to tamper with it.
A basic awareness of your surroundings and the proximity of members of the public if you’re working on sensitive systems is a great place to start. Failing that, a screen privacy filter on your device makes things harder for someone else to see.
You need internet connectivity to finalise a few pre-flight checks, but your device has no cellular data and you rely on airport/ coffee shop Wi-Fi when out in public. Public networks tend to be open and can allow others to intercept your traffic in some circumstances.
Your airline should provide a ‘mobile device management’ (MDM) platform for your EFB. This provides an additional layer of security and can help protect your flight applications and data. If they don’t, you might consider a VPN which can help ensure anything you do on the internet, be it personal or work related, is secured in a private encrypted tunnel. Using public WIFI without a VPN or MDM can increase risk.
Updates, apply them
‘This device is constantly nagging me to update it, I haven’t got time… I’ll do it another day.’ Your device is nagging for a reason. Security updates and antivirus solutions are imperative to ensure the device and applications installed are up to date ensuring any vulnerabilities identified in previous versions, are fixed. Vulnerabilities in devices can often lead to full take over including all passwords, content, and data.
Updates can easily be managed by an MDM deployed by IT, but if there is no central management for employee devices, we suggest personally updating your device and all applications as soon as you receive a notification. Updates aren’t released just for fun.
However: there have been a very small number of issues where a device update has caused an EFB outage. Some airlines advise against applying updates until they have given the ‘all clear’. Check what your airline’s policy is. It may be that they haven’t properly considered this, so a nudge in the right direction might help
Heard the saying ‘ Don’t mix business with pleasure?’. Well, a company device is just that… owned by the company. Check what your employer’s policy is on personal use of the EFB. Don’t install your own apps without explicit permission
EFBs have been used for all sorts of personal tasks without enough thought: Don’t watch dodgy content or browse to potentially dangerous web sites on your EFB. Do you want to be the reason that your flight doesn’t dispatch, owing to you having something ‘nasty’ on the device?
An EFB should be restricted to only business tasks. This reduces the risk of downloading a rogue email, application or visiting a malicious website and downloading malware.
Sharing is not caring
You are responsible for your EFB. Don’t share it with others, as you have no control over what they’re doing with it.
If you need to share it with your co-pilot, perhaps because theirs isn’t working, that’s fine. But remember to keep an eye on what they’re doing. You wouldn’t want to be the subject of an investigation as a result of something they did to your EFB.
Your EFB is for your use. Don’t share it with family and friends. Share with your colleague if you absolutely have to for operational reasons, but supervise their use.
The more steps you take personally to look after the cyber security of your EFB, the less likely there will be an incident.
Security is partly about your airline employer and partly about you. Don’t let your side down.