In the contemporary era, computer systems are increasingly playing a role in the lives of humanity, and the field of security has subsequently grown in importance. Organizations transmit sensitive data across networks and devices in the course of doing businesses, and the discipline of cybersecurity is dedicated to protecting that information and the systems used to process or store it.
Cybersecurity features high on the agenda of many state and commercial enterprises and significant amounts of time and money are being invested in concrete cyber prevention and management initiatives. However, despite the focus on this critical area, challenges remain abound, and the existing interventions are insufficient: The threats advance more quickly than the measures put in place to address them.
Many organizations are grabbling with one major question: How can we protect data?
A significant portion of the data stored by business and state enterprises contains sensitive information, be it intellectual property, financial data, personal information, or other types of data. Unauthorized access or exposure of this data could have far-reaching consequences. Cyber-attacks and digital spying are the top threats to national security.
For this post, I had the privilege of interviewing Dr. Pascal Andrei, Airbus SVP Chief Security Officer, leading all security activities for Airbus Companywide. Dr. Pascal Andrei plays a very active role in international cooperative efforts to guarantee the overall (Cyber, Product and Physical) security of the commercial aviation industry infrastructure. He is coordinating all Divisions Security (Airbus Commercial, Airbus Defence and Space, Airbus Helicopters) and his responsibilities span the products security of aircraft, helicopters, satellites, drones, and fighters. He leads teams in over four Airbus’ core countries (FR, GE, UK, SP) and others majors countries (USA, China, Mexico, India…) in addition to managing subcontractors in different regions of the world.
A holder of a French state Ph.D. in Competitive Intelligence & Security from Paris University after Mathematics and physics Masters. He adds, on the occasion of a stay in the United States with the Center for Scientific Defence Studies a PhD in the Defense Scientific Studies Center of Marne la Vallée with Amiral Pierre LACOSTE (former Head of French Secret Services) as godfather and sponsor.
Dr. Pascal Andrei is a pioneer in his field. He was at the origin of “ISCOPE”, a search system that has been created long before Google even existed, and has developed a particular natural language engine tool, positioning him as a key person in the French intelligence community.
Many of Dr. Pascal Andrei’s positive attributes allowed him to serve his country to his fullest when he joined the French Group “GIGN” the elite intervention tactical unit of the French National Gendarmerie, as an operational reservist where he was decorated Knight of the Legion d’Honneur in 2017. During his career in this capacity, he dedicated his efforts to developing the logistics to support the “French Intervention Forces on aircraft” of GIGN, which he refers to as his second family. Beyond the French Elite, international counter terrorism units benefited from this experience. From aircraft security features dedicated to Special Forces intervention during an hijacking to testing explosives on aircraft (hot breaching, pressurized aircraft…), this work has highly contributed in securing the air transportation industry after the very sad 9/11.
Dr. Pascal Andrei strongly believes in resilience through passion. Throughout his career, he has consistently demonstrated strength and determination in the face of adversity. Out of his 7 jobs in 28 years, he has never applied to an existing position. He has created and demonstrated the value of each of them to the Executives for the sake of the company. He was one of the victims of the “Furiani Catastrophe” on Tuesday 5 May 1992, during which the football Tribune fells 20 meters and sustained serious injuries that put an end to his dreams of becoming a helicopter pilot in the French Army.
However, while one dream of serving others came to an end, Dr. Pascal Andrei focused his efforts on pursuing his natural purpose to protect others, and his desire to help people outweighed the physical challenges he experienced in the aftermath of the accident. He worked hard to overcome the obstacles in his way and resiliently followed his passion to secure a role in the aerospace industry, an alternative avenue through which he could serve humanity.
Dr. Pascal Andrei warmly received us at Airbus Commercial Aircraft in Toulouse. He began his carrier as head of competitive intelligence for the Aerospatiale Group, where he implemented his PhD’s outcomes. After 7 years, he became the head of Aircraft Security that led for 15 years, before coordinating the security of all Airbus products and lastly the Airbus CSO.
During our meeting, he shared some fascinating insights into how competitive intelligence can be incorporated into a strategic vision to ensure that the security of airplanes and the associated technical systems are protected from unauthorized access.
Dr. Pascal Andrei started the interview by kindly showing us around the inside of an Airbus A380, illustrating the way security was fully part of the design (inception) of this disruptive aircraft the conception date. He proudly described the achievements of his team and the central role they played in the development and the certification of a new generation of aircraft that was specifically designed and developed to resist both computer and known physical attacks.
Resilience Involves Understanding the Real Threat
According to Dr. Pascal Andrei, hackers seek to exploit weaknesses in network architecture and configuration to launch attacks. System limitations and flaws can result in the intentional or unintentional destruction, interruption, degradation or exploitation of the data, systems and networks that are critical for safety of an airplane. As such, cybersecurity represents a fundamental element of cyber resilience that, in turn, contributes to business resilience. But resilience start with a strong understanding of the threats and potential consequences. By design, each Airbus product (Aircraft, Helicopters, Satellites..) integrates security specifications. They are part of the inception and initial program requirements. The remaining risk is as such well understood and mastered, providing valuable inputs to the systems resilience. In case of crisis management, such anticipation determines the successful management and achievement of the crisis.
Of course, in parallel to cybersecurity, the physical security is managed same way. All kind of potential physical threats (hijacking, cockpit laser pointing, electromagnetic waves, sabotage, drones, cabin explosion, ground-air short range missiles…) are taken into consideration during the architecture design and managed at the best possible level. Some very specific solutions depend on the requests of our customers; Business jets, military, governments… require sometimes unusual enhanced security features.
Security threats whatever they are cyber of physical, are not limited to the embedded systems of the aircraft, helicopter, satellite… All the value chain is taken into consideration.
Dr. Pascal Andrei insisted on this important element of the security chain. Inside Airbus, beyond the design office, the production, assembly lines, testing environment… are more than ever part of the security solution. Industrial Controls systems are the new targets and Airbus integrates seriously that important element in the security development of its products.
As movie scenarists, Dr. Pascal Andrei’s teams are inventing and identifying all kinds of scenarios of attacks. They call it the aerospace “threatscape”. Creativity and imagination are leading this important exercise trying to get an exhaustive list of possible and representative threats, during all aircraft lifecycle. Hundreds of scenarios have been analysed and formalized through risk analyses and taken into account during design phases. Aircraft security architects are the “urbanists” of the aerospace industry. They are obliged to think wider than the aircraft itself. Those scenarios are encompassing threats of the operational environment, when the aircraft has left Airbus facilities, delivered to the operator that need to maintain this very high “per design” security level.
Cybersecurity Challenges Require a Holistic Response
There is a fundamental need to ensure that aircraft electronic systems are fully protected against unauthorized access at all times. This involves adopting an “entire organization” response to cyber threats that is based on a deep understanding of the contemporary business and operational landscape.
Protecting aircraft systems involves mapping and assessing the worldwide and cross-industries relationships that are in place across the cyber ecosystem, identifying the risks, and assessing these risks as part of a holistic plan to process information in a safe and secure manner. It also involves entering into productive relationships with external parties and government agencies to leverage collective intellectual capacity, skills, and knowledge.
Working in collaboration with different airlines is also of utmost importance. Sharing information about the risk and threats that lay out there assists an airline to develop a broader perspective of the risk landscape and a fundamental awareness of the security gaps. It might be surprising but Dr. Pascal Andrei and his team work very closely with competition. According to him, there is no competition when it relates to security and safety of our aircraft. As such he has created in 2007 the “Club of 4” that gathered the Product Security Officers of major OEMS (Airbus, Boeing, Bombardier and Embraer) around the common goal of commercial air transportation security of passengers.
That’s a real surprise. Generally, Competitive Intelligence refers to wide information processing and analyses in the aim of beating the competitors on market shares. Here it is a totally different approach that Dr. Pascal Andrei described using the competition intelligence to face highly organized common attackers whoever they are: hackers, terrorists… “We face the same enemies” as he says. Initially, the “club of 4th” made a “gentleman agreement” for exchanging noncompetitive information on threats, experiences, processes… Such attackers can impair the security of the air transportation and thus, breaking the trust from a passenger experience. Together, industrials are breaking the competition boundaries for a better resilience in front of growing threats. Dr. Pascal Andrei likes to say that in front of well-organized, smart and dynamic attackers, the union of industry leaders through information sharing is the key success factor of our security shield, the keystone of our protection vault.
Today, Dr. Pascal Andrei seats at the Board of Directors of the Aviation ISAC (Information Sharing Analysis Center), chaired by Boeing and gathering Airlines, Airports, Aircraft manufacturers and all kinds of aerospace stakeholders.
On its side, Airbus resilience relies on well-aligned network of renowned experts. These specialists are constantly examining a range of potential risk scenarios with the objective of identifying and evaluating all security threats and subsequently putting in place effective system security protection strategies by which the airplane can be protected. Regular penetration tests are performed by Airbus “Red Teams” on flight tests representative aircraft, in order to make sure being always ahead the threat and upgrade accordingly if necessary.
Processes are crucial in defining how the organization’s activities, roles, and documentation are used to mitigate the risks to an organization’s information. By identifying the cyber risks that an organization faces, business leaders can start to evaluate what controls need to be put in place and the technologies required to do so. Depending on the outputs of a risk assessment, technology can be deployed to prevent cyber risks or reduce the associated impact to an acceptable level.
Managing information, monitoring the various electronic systems suppliers, and providing remote assistance through digital certifications—including all post-type certification modifications that have an impact on the approved electronic system security safeguards—represent key functions through which the security of an aircraft can be maintained.
Cyberattacks are Becoming Increasingly Sophisticated
The majority of organizations have typically focused their security efforts on resistance. To date, organizations have directed their efforts to developing robust, resilient “fail-safe operations” that can withstand unexpected cyberattacks. However, the unpredictable nature and unprecedented scale of the cyber threats that companies now face means that organizations must move from the fail-safe approach toward designing a system that is “safe to fail.” This is determinant in the aerospace industry, where safety is at stake.
The challenge of the aerospace industry (with long cycles development programs and long term regulation processes) is to keep racing in front of a fast moving threat and highly evolutive hacking technologies. Airbus started this race very early ensuring being always ahead and using the best competences, leading the industry movement. From standardisation, threat intelligence to risk analyses and associate mitigation means, the industrial has set the standards and associated rules for the benefits of the aerospace community.
Pilots Need to be Trained to be Real Pilots
Technology evolution requires management and culture changes. There is an inherent need to create a culture of readiness for change through simulation exercises that challenge the existing centre of crisis management, command and control, manuals, and plans. Unlike the relatively safe air travel we enjoy today, pilots in the 1920s didn’t benefit from highly functional technologies. They didn’t have access to radar, autopilot, or even information about the fuel capacity. They simply had their hands on the wheel, pushed the nose down, and adjusted the power accordingly. Their chance of survival was determined by their experience, and it was this experience that allowed them to accomplish amazing feats in very uncertain circumstances. This is current dilemma. While aircraft are more and more computer assisted for the benefits of the flight safety, Pilots shall evolve at the same time to manage accordingly new systems generations of e-enabled aircraft.
In reality, it is a pilot’s skill and experience that can ultimately stand up to the realities of a security breach. Pilots need to have the necessary skill and experience to disconnect the airplane from the automatic systems and pilot the aircraft to safety. In addition, a captain remains a pilot and not a security agent. The aircraft vessel must be resilient to any potential in-flight cyber-attacks in order to keep the pilots concentrated on the flight management during long hours to final destination.
Cyber-threat intelligence, which is provided by a number of external providers, cannot give an organization sufficient visibility into the dangers it faces, unless properly interpreted. Ongoing research efforts and strategy development will rely on the existence of effective internal intelligence programs that sharpen awareness of risks and enhance resistance by astutely identifying where the real threats lie.
Ana Paula Araujo Mendes
Many Thanks to:
DR. PASCAL ANDREI – AIRBUS SENIOR-VICE-PRESIDENT CHIEF SECURITY OFFICER
Dr. Pascal Andrei has a French state PhD degree in Competitive Intelligence & Security from Paris University after a Mathematics and Physics Masters. Leading all security activities for Airbus Companywide he was nominated personality of the year in 2015 by the Air Transportation System Security community in Dubaï.
Dr. Pascal Andrei seats at the Board of Directors of the Aviation ISAC (Information Sharing Analysis Center).
Dr. Pascal is a reservist of the “GIGN” the elite police tactical unit of the French National Gendarmerie and was decorated Knight of the Legion d’Honneur in 2017.
Airbus Communication for authorizing the interview.
Nadjim Ait-Meddour for interview photos