The threats business aviation flight departments face may take many forms, ranging from physical, to financial, to digital. Exploring how aware they are of these potential hazards, and what they can do to help mitigate them was the goal of NBAA’s second annual security conference, held in May in Dallas. As the presenters explained, harm to a company’s assets or reputation can come from simply leaving a sensitive document on a hotel check-in desk, to an overheard conversation in a bar, to an intruder getting into a hangar and damaging an aircraft, to a flight crew and passengers put in peril from an unexpected geopolitical event. One of the underlying themes of the conference is that security is everyone’s responsibility, from the scheduler who selects the hotels, to the crewmember or passenger who is aware of possible danger, to the security coordinator who designs and implements the security plan at the home base, everyone must buy in to the program for it to have the best chance of preventing problems.
Security Begins at Home
While flight crews may have a sense of familiarity and comfort in their home base, companies must be aware of who might be interested in harming either them specifically, or similar companies, and assess how tight the security at their facility is. Flight departments should establish a security plan for their facility, detailing security protocols such as, who has access to the facility, what access prevention systems are in place (if there are locks on doors, are they used all the time?) and are there adequate security enhancements such as proper lighting and video cameras? Those questions are difficult enough if your company is the sole occupant of the hangar, but they multiply if you share your hangar with another company, and need to assess their level of security as well.
According to John Sullivan, managing partner of the Welsh-Sullivan Group, the plan is a living document that should be used to triage and improve lapses in security. Flight departments should conduct regular safety training, including tabletop scenarios with all the stakeholders, to ensure everyone understands the procedures, and he recommends that they continually assess their plan, refine it, and test it. If a breach of security does occur, Sullivan noted there needs to be an incident response procedure within the company, where all members of the department, from the top down to the lowest, know whom to contact first.
Taking It On The Road
When traveling abroad, flight crews and their passengers must understand the threats they face. Most Westerners are considered high-value targets, subject to anything from street crime to kidnapping to data theft. Crucial to the success of the trip is a pre-flight briefing using information readily available from a variety of sources both public and private, presented to both the passengers and the crew. They should be kept informed of any developing situations so they can respond to them if necessary during the mission. Sullivan recommends that the crew set an emergency rallying point away from their hotel, where they can gather and head to the airport, and they should also make sure that each passenger understands how to get to the aircraft if necessary. In troubled areas, flight crewmembers should travel in pairs or groups and keep tabs on each other, as the ability for a return flight depends on their well-being. When traveling to areas in turmoil, crews should fuel on arrival in case a swift departure is required.
When the aircraft is on the ground, Sullivan recommends it be checked at least once every 24 hours and its security systems engaged in an effort to deter any tampering.
It might be surprising, but the number one cause of death for Americans abroad over the past several years is ground transportation. In cases of accidents, many travelers might not be able to accurately describe their location. William Archer, global security director for L-Brands, noted that web travel support services such as iJet Worldcue or International SOS allow users to easily send an emergency beacon from their smartphone with their GPS coordinates. Those same applications can also be configured so crew and passengers can check in at a specific time each day, and issue an alert if the check-in is missed.
Greg Kulis with L Brands noted that passengers and crew are more vulnerable during their trip from the airport to their hotel, as any observers may notice that they arrived on a private aircraft and will draw their own conclusions about their potential target’s worth. He recommends the use of vetted ground transport and cautioned that transportation that isn't secure enough for the passengers is not secure enough for the crew either.
“Your airplane is a flying office and it’s becoming more network integrated, more capable,” said Keith Turpin, chief information security officer with Universal Weather & Aviation. “You need to be thinking broadly as you travel internationally, especially to high-risk locations where you can be targeted about how you are handling different aspects of cyber security.” Much sensitive information is transferred through satellite communication systems on business aircraft, and to protect that data the onboard systems should be configured to allow only certain portable devices operated by the passengers and crew to access the network, according to Turpin. He also suggests using a password for access, changing the password frequently.
Doug Young, Gogo’s vice president for software architecture, noted that many larger flight departments have added information technology specialists to help harden their systems against cyber attacks. He also warned that users shouldn’t be lulled into a false sense of security when using a VPN, as threats will continue to evolve and become more sophisticated.
Young suggested that flight departments perform threat assessments for all the different types of traffic that their passengers might conduct in the back of the aircraft, as different activities may have different risk-mitigation techniques. Another trend he has noted is flight departments and company IT departments performing their own vulnerability studies of vendor equipment. In terms of air-to-ground data transfer, over areas such as Russia and China, flight departments should assume that the system is compromised and refrain from transmitting sensitive materials, Young advised.