Airbus's UK infosec chief, Ian Goslin, has said that cyber-attack attribution is a matter for "nation states" – and has questioned whether some critical national infrastructure companies are taking the infosec threat seriously.
Goslin, speaking at the Farnborough International Airshow in Hampshire where Airbus is a major exhibitor, gave an example of an unnamed utility firm.
"We were talking to a utility and they had a facility, could be a pumping station, could be anything switching – they can operate that remotely. I said, what is protecting your link in terms of cryptography? They said, we've got a software package. I said, ooh, that's brave of you to do that. Standard commercial? Yes, standard commercial."
When asked if they thought they were a potential target for hostile actors, the company said, according to Goslin: "Yes, of course we do, we heard [chief exec of GCHQ's public-facing arm, the National Cyber Security Centre] Ciaran Martin say it's not a matter of if, it's a matter of when."
"Right," said Goslin, "and do you think it's strong enough? 'Well, it's cryptography,' was the reply. Yes, but do you think it's strong enough? 'Well, it's cryptography.'"
It was the mindset that because they had "cryptography" they were automatically secure, said Goslin, summarising the company's approach as "cryptography is cryptography is cryptography" – something regular Register readers will know full well is a false economy.
A former Royal Air Force officer turned Airbus Defence and Security exec, Goslin – an engagingly fast-spoken Welshman based in Newport – criticised some "critical national infrastructure" companies for not having a chief information security officer: "There are similar attitudes which I think are low down on the maturity chain."
In terms of Airbus's own airliner products, the infosec world was rocked by claims from late last year that the US government's pet white hats had reportedly compromised a Boeing 757 airliner. Goslin was open about this, stating that while Airbus and Boeing are cut-throat commercial rivals, "in cybersecurity we collaborate with them completely. It's in both of our interests to ensure each of us understands the threat and where it's coming from."
While both companies have "a lot of intellectual property" they want to protect from the other – Airbus perhaps more so than Boeing, given the former's acquisition of Canadian aerospace also-ran company Bombardier's C-series light airliner design, now marketed as the Airbus A220 – in the face of common cyber adversaries, all of that rivalry goes out of the window.
"If either of us is compromised it has a massive impact on the whole of the industry. That's one of those things in terms of maturity, approach of thinking," said Goslin. "The aircraft industry is very mature in that respect."
In terms of product security, he was keen to stress that Airbus, which is one of the world's two largest commercial airliner companies, makes all of its design decisions "through the lens of cyber. We are going to do this; is there a cyber implication? We are going to do that, does that have a cyber implication?"
He also spoke about the threat from traditional cyber-foes of the West in North Korea, China and Russia, saying (as he would, being chief of the infosec business unit) that while Airbus is deeply invested in cybersecurity, attribution of attacks is a matter for nation states and not "individual companies".
Goslin also briefly touched on the implications of airport security and infosec, giving the example of an airport baggage carousel and an X-ray machine in the security queue. Disabling either of these is an inconvenience, he said, while compromising the X-ray machine "is worse than it failing" because "if it's failing you know you've got a problem".
"What we've done is said 'give us those systems and we'll analyse the vulnerabilities on each one', using that as a case study," he said. "It isn't just the technology, it's the core system of systems, saying this is what we can do to mitigate" threats from hostile actors.
Yet, despite all the moves towards modernity, recognising threats for what they are and educating business-focused people that infosec is just as critical as any other revenue-generating line of business, Goslin pointed out that antiquated crypto is still an ongoing problem:
"When I joined the military they had a new crypto that was installed... When I left 28 years later that crypto was still in use." He added that while the particular system he was referring to was still within "the longevity of its capability", he was clear that he did not see today's crypto "having 30-40 year lives in future".
"I think that's going to come way down. There will be a regular refresh of the technology." ®