Eric Stride [00:00:00]:
It’s really hard to secure your own system without your partner organization system being just as secure. So there’s an interdependency there that creates significant risk. And so everybody in the entire ecosystem needs to basically level up their security against the attacker in order for all of the system to be more secure.

Karissa Breen [00:00:36]:
Joining me now is Eric Stride, chief security officer at Huntress. And today we’re discussing growing security concerns within the aviation industry. So, Eric, thanks for joining me and welcome.

Eric Stride [00:00:53]:
Thank you so much. Happy to be here.

Karissa Breen [00:00:55]:
So this is a really interesting conversation about to have with you today because aviation, I’ve seen your background, you’ve got a great pedigree. So I’m assuming you’re probably the best person to ask when it comes to this. But I really want to get into this a little bit more considering aviation aircraft situations that we’ve been all reading in the news globally. Maybe let’s sort of set the scene like what’s happening out there?

Eric Stride [00:01:22]:
At the risk of sounding a bit alarmist, it’s at a crisis point right now as an industry. We’ve tracked a truly shocking rise in attacks against the civil aviation sector. The hard numbers show a dramatic 600% to year over year increase in cyber attacks between 2024 and 2025. And that surge is largely driven by organized ransomware campaigns. This isn’t a gradual increase, frankly. It’s an explosion demonstrating that adversaries have pivoted to target aviation as a high leverage opportunity. I would say that what’s going on is that threat actors realized how interconnected and fragile the aviation supply chain is. The game changer was the recent widespread ransomware strike on Collins Aerospace that just occurred in September of 2025 here.

Eric Stride [00:02:09]:
Collins is a vital aviation IT provider. And when that attack hit their widely used check in technology, major European hubs like London, Heathrow, Brussels and a few others were forced to revert to manual systems. We saw chaos. We saw massive backlogs. We saw thousands of passengers stranded. This single event proved that a strike on a single niche vendor can immediately cascade into a widespread operational collapse. That leverage is what threat actors are now weaponizing. And it’s not just the big global incidents.

Eric Stride [00:02:41]:
You know, if we look back over the last 18 months or so, we’ve seen regional impacts that still cause major damage. Look at the Seattle Tacoma International Airport, the SeaTac ransomware attack that happened in August of 2024, which disrupted multiple airport services and compromise the personal data of approximately 90,000 employees and contractors. Or the significant disruptions to the check in systems at Kuala Lumpur International Airport in March of 25 here. The bottom line is that the digital transformation of aviation is running far ahead of its security maturity. And criminal groups are frankly exploiting that maturity difference very aggressively.

Karissa Breen [00:03:18]:
Okay, so there’s a couple of things in there. So I don’t know if it’s just me, but. And I know like, even back in the day we didn’t have social media, people could capture all this stuff. Hard to sort of get a fundamental grasp of what was happening globally. But is there just more plain incidents than before or am I noticing it more? And it’s sort of like that whole theory, like when you notice a blue car, you just keep noticing it. Is it that or am I sort of onto something?

Eric Stride [00:03:42]:
No, no, you’re definitely on to something there. We’ve, we’ve seen year over year the increase in this, this sector rise significantly, right? But this last year, this last 12 month period, it’s been an explosion, right? And so it’s become an attractive target. And the supply chain is a key weakness there too. We’ve seen that as a cybersecurity industry. I mean, if we go back to 2013, right, to date myself a little bit doing cybersecurity then, and everybody talked about the target breach, how the attackers got in through the H vac vendor, that was another supply chain attack. And it opened people’s eyes a bit, and the attacker’s eyes too, because now they’re seeing that, hey, if I want to target major organizations, I don’t need to target them directly. I just need to target their supply chain and find a way in. And we’re seeing that across sectors, not just aviation.

Karissa Breen [00:04:32]:
So what’s coming in my mind when you talk about supply chain. So one thing. So I’ve spoken to people at Boeing before and now you’re obviously an aviation person more than myself. So just hear me out and follow, follow this for a moment. When Boeing sells an aircraft to, I don’t know, American Airlines or whoever, they said it’s on the airline to then run the maintenance and all this other stuff which can lead into, you know, this potential defects or any other stuff. Right. Then as well. Because if we look at the intersection between physical and cybersecurity, but then people just are really easy to blame the manufacturer when it’s like, well, hang on.

Karissa Breen [00:05:07]:
And I’ve spoken to people at these sort of businesses, they’re like, well, once we sort of sell it, like that’s not our responsibility to some degree. So do you think that it’s easy to sort of just blame like certain manufacturers that are out there? And I think that people are not getting the whole picture. Help me understand that a little bit more.

Eric Stride [00:05:25]:
Yeah. So what you’re hitting on there is really some of the challenges we have with operational technology systems, OT systems as a whole. Right. And this is very evident in aviation. Right. I mean we’re talking the systems that control physical processes like baggage handling, air traffic control. Traditionally these environments were quote unquote, disconnected from your typical IT environment and they had different security priorities. But now they’re all interconnected.

Eric Stride [00:05:54]:
We’re seeing a lot of convergence and attackers are often penetrating the IT environment first and then pivoting to the high value safety critical OT systems that were really never designed to resist modern network based attacks. And so this interconnectedness creates a massive attack surface area that criminals and state sponsored groups are actively seeking to exploit from a maintenance perspective. Right. Most of these vendors of OT systems look at it from a maintenance perspective and they typically haven’t really fully embraced the cybersecurity needs. And we’re at a point now where that’s being forced.

Karissa Breen [00:06:32]:
Yeah. Okay. And I asked that because obviously, you know, when I’m doing research and I’m looking what people are saying out there, I hear like, oh, you know, it’s another Boeing aircraft that’s had an issue. But I think that’s like, is if I buy a car from Hyundai and I drive 200000 miles and I never get any maintenance, never do anything and it breaks down, has an issue. I can’t really sort of call up Hyundai and blame them for everything because I didn’t do my end of the bargain. So do you think in terms of like accountability and stuff like that some of the airlines are sort of getting away with some of the things given that they are responsible for this when they’re operating this aircraft in the, you know, out there in the field, Bottom.

Eric Stride [00:07:07]:
Line, yes, they’ve gotten away with it in the past. I don’t know if they’re going to continue to get away with it. Right. So, you know, driving your Hyundai. Right. And I actually happen to have an Ioniq 5. Right. And it has all my required maintenance activities.

Eric Stride [00:07:21]:
What we’re going to see is that the vendors have to, for aviation, have to actually follow cybersecurity readiness in order to prove airworthiness. And this Is this is a relatively recent development, right? So it was legally codified in the 2024 FAA Reauthorization Act. And the FAA published a notice of proposed rulemaking a couple months later to formally integrate cybersecurity into that concept of airworthiness. And they use the term intentional unauthorized and electronic interactions. Right? And this, this basically defines any unauthorized human action, like an electronic hack or disruption that has the potential to affect the aircraft systems and interfaces. And what this really means for the aviation industry is that manufacturers seeking type certification for transport category airplanes, engines, propellers, are now required to conduct formal risk assessments specifically identifying and mitigating these iuei, the intentional and authorized electronic interactions threats. I always love how every sector has to make up their own acronyms, but these cybersecurity risks. And so it’s forcing cybersecurity and aviation to no longer be a peripheral compliance task.

Eric Stride [00:08:32]:
It’s going to become a foundational, non negotiable element of the physical safety case. So the industry must now adopt the mindset of the OT security expert, prioritizing the system’s integrity above all else. Because failure of that integrity in this domain can have very disastrous consequences.

Karissa Breen [00:08:53]:
Okay, I want to zone in then on attractive targets. So for example, I mean, I worked in a bank and security people want to get money, you’re going to go to bank to get it, or you scam someone or whatever you want to do. But going back to your point around supply chain with the aviation industry, what do you think is sort of the benefit? Is it that they’re transporting specific cargo or on that aircraft? Or like what, what sort of the motivation would you say?

Eric Stride [00:09:19]:
I think it really comes down to three things, right? It’s leverage, its data and its complexity. Let’s start with leverage, right? Aviation has a system built on real time logistics and zero tolerance for downtime. When an attack hits, say a critical scheduling system or a check in system, result is immediate. It’s visible chaos. Estimates suggest that one hour of operational disruption at a large airport during peak time can cost an airline about a million dollars. When you can guarantee that level of instant catastrophic financial damage, you generate incredible leverage for a ransomware demand. The second is the data, right? Airlines and airports are sitting on gold mines of sensitive information. Think about all the information you have to give over to your airline when you travel, especially if you travel internationally, right? They don’t just have your names and your credit card numbers.

Eric Stride [00:10:06]:
They’ve got detailed passenger data to include your pii, such as your date of birth, your home address, your Passport number, an emergency contact, their number, they’ve got pay details, they’ve got extensive travel history. This data is extremely valuable for identity theft and financial fraud in the criminal markets. Making a data breach basically a dual threat, incident disruption plus data theft. And then finally the fundamental complexity on the system creates huge vulnerabilities, right? So aviation operates on a fragile convergence of the IT and the OT networks. As we were talking about just a moment ago, those systems that control all of the physical systems, combined with the network systems that handle more of your traditional IT and your ticketing and your data processing. But these are all connected, but they have different security priorities. And so this interconnected it’s creating, as I said earlier, a huge massive surface area that’s providing a lot of opportunity for the attacker to have a much bigger impact than they were previously. And so kind of taking that to the next stage, right, that provides huge, huge opportunity to both, as an attacker, try to leverage these aviation industries, these airlines and such, into paying large ransoms or losing lots of money.

Eric Stride [00:11:33]:
And oh, by the way, I’m going to take all your data and sell it on the dark market and make money there. Not me personally, the attacker, right? But it’s a pretty serious risk.

Karissa Breen [00:11:41]:
Obviously last year with that major vendor outage and how much that impacted specifically like Delta and friends, that obviously had a very big impact right across the world. So going back to your example, so that’s, you don’t know LAX or Dallas, very big airports, trafficking a lot of people, planes, etc. Walk me through the damage. Just so people get a bit of an understanding of something goes wrong for an hour, what do we, what is that? How does the chaos start to unfold that quickly and what is sort of the flow on effect, would you say?

Eric Stride [00:12:12]:
Yeah, no, it’s a great question. So if you think about it, right, especially here in the United States, we have the busiest, most complex aviation system, right? Over 45,000 flights a day. The impact of a significant delay, right? Even something as simple as the check in system and forcing organizations to revert to manual systems is going to impact their ability to process everybody through baggage check, through security, through boarding, and, and it ends up having effectively a domino effect all the way down, right? And I think I might have referenced it earlier, right? The estimates that at a peak time, that’s going to cost airlines about a million dollars for one hour of disruption. And then if you think about how that cascades through their entire network, right, if as flights are delayed at one major airport, then impacts a delay at Another major airport, and then you have crew timeout issues and pretty soon that $1 million of outage per hour becomes tens to hundreds of millions of dollars of impact to the organization because everything is run on such tight interdependent schedules. Right? And that’s exactly what we saw last year with major Delta outage. Right. We’re talking triple digit millions. So very, very significant impact.

Eric Stride [00:13:28]:
And again, that goes back to then the leverage, right? Attackers see this and see this as opportunities because the airlines want to minimize that downtime as much as they can.

Karissa Breen [00:13:37]:
So the other interesting thing as well, so this is Shells, Washington, Australia. It’s called 20247 airport, I think, or airport security. Anyway, long story short, it’s Melbourne airport. A lot of flights going in there, they sort of take you behind the scenes, but because aircrafts are coming in overseas or domestically, they’re contingent on that actual airport running smoothly. So not only you got to think about your own company, you then sort of borrowing the land in which all these aircrafts are sitting on. And then they walk you through like some of the problems that they have, like, well, we couldn’t get this aircraft out to Dubai on time and therefore they’re starting to complain and passengers are angry and you can just start to see the domino effect. So how does the actual airport take a lot of their accountability around while we have to make sure that we’re servicing these airlines appropriately as well?

Eric Stride [00:14:26]:
That’s a great question. Because they have a very symbiotic relationship between the two organizations and they have to interconnect and share data and their processes and their electronic systems have to interact as a result. And so if both organizations aren’t applying all of the expected security measures, they’re going to end up impacting each other. Right. And so as an example, each system owner should be investing in robust hardening, network segmentation, continuous detection and response monitoring. They need to make sure that they’re implementing resilient operational protocols. And this effectively goes back to the supply chain challenge, because within this entire system, the weakest link is the component with the weakest security, right? Whether that’s the airport or the airline or some outside vendor that provides a critical system to either one of those organizations. And so looking at it as a whole system of systems, it’s really hard to secure your own system without your partner organization system being just as secure.

Eric Stride [00:15:40]:
So there’s an interdependency there that creates significant risk. And so everybody in the entire ecosystem needs to basically level up their security against the attacker in Order for all of the system to be more secure.

Karissa Breen [00:15:55]:
The operative word that you use there is like interdependencies. So how would you say, given your experience, like the maturation in the aviation industry, like, yes, you’ve got the airline, then you talk about the ot, which is the convergence in with like cybersecurity and systems and you’ve got vendors that you’ve got to use. And then on top of all that, you need to work with an airport to make sure that multiple airports, mind you, because you’ve got to go from A to B. Does all that look. And you know, what do you think about that in terms of the overall industry?

Eric Stride [00:16:21]:
Right. So I think it kind of takes us right back to the beginning here, right. We’re, we’re at a crisis point. The, when you look at the security of the overall aviation sector, it is not to the standard it needs to be yet. And so it creates significant risks. Right. The risk of ransomware, like we talked about with regards to the data, right, which we’re seeing all the time, Ransomware is the tool of choice for the attackers. We’re seeing over half of aviation cyber decision makers, quote, unquote, reporting that they’ve been addicted to ransomware in the last 12 months or so.

Eric Stride [00:16:56]:
But that interconnect, that supply chain really is the largest attack vector in my mind. Right. If we go back to the Collins Aerospace attack, right. That, that shows that that third party vendor, right, is key. And it wasn’t just localized. Right. It ended up having a global effect based on that attack, that the attacker could bring these, these core operations to a halt across multiple airlines, multiple airports. And so that that ecosystem is really only as guarded as that to at least secure partners.

Eric Stride [00:17:31]:
And so these threat actors, they’re really looking for that, that weakest link, that cheapest, most efficient path to the primary high value target. And really the disruption is caused by frequently it’s caused by incredibly basic security failures. If we look at the data on a lot of these attacks, the vast majority of large scale incidents that occurred in the last year or so, better than 70%, really began as something as rudimentary as credential theft or unauthorized access. We’re still seeing mass disruption stemming from things like phishing, social engineering, neglected default passwords, not necessarily some zero day attack which addresses kind of addressing these threats means not just buying expensive new tools, but forcing a culture of rigorous fundamental cyber hygiene across the global supply chain. I’m not saying you don’t buy the tools, but the tools alone aren’t Going to do it. You have to have this culture of cybersecurity.

Karissa Breen [00:18:24]:
So you mentioned before the aviation industry is not at the standard. How do you think we got there? Like, how do you think now? It’s like, well, I mean they play a pretty important role in our society. So how do you think it sort of just diminished into not at the standard? I mean in this day and age.

Eric Stride [00:18:40]:
Many of the systems are decades old. Right. And so they are in need of modernization and it’s, it’s a risk that they have been aware of for years. Right. That intentional unauthorized electronic interactions has been a term being pushed to the FAA for over a decade. Right. And trying to work these, these pieces in, but it’s been seen as a, a secondary priority. Right.

Eric Stride [00:19:05]:
Priority number one has always been the operations. Right. Trying to keep it working without disruption. And so now we’re being forced because of all these attacks into that, that modernization. And it is government activity, it is large systems that take many years to replace. And so the maturing of the attacker’s tradecraft has just accelerated such that they’re forced to have to engage that modernization now.

Karissa Breen [00:19:35]:
So do you think we’re at that point in time, it’s like we got to fault, like people’s backs are against the wall. Like we’ve, we’ve seen enough. People are almost living in fear. I’ve heard people when I’m in Ubers, when I’m going to the airport myself, they’re like, oh, I just don’t want to travel, don’t want to travel domestically, internationally. I’m scared. So what does that modernization journey look like? And I am aware with critical systems, it’s really hard. I mean sometimes some people like, hey, we’ve had this controller for 40 years. But first of all, it’s really expensive to replace.

Karissa Breen [00:20:01]:
It’s not even on any network. And what do we do? Legacy systems, you can’t patch them. There’s. How does that modernization look? Because we can’t have what’s been going on to continue.

Eric Stride [00:20:14]:
No. A hundred percent agree with you. An enormous undertaking. Right. And so the FAA has actually been pushing it. They call it their next generation air transportation system or next gen. And really this goal is to move the U.S. airspace system from ground based radar centric system to a satellite based data centric one.

Eric Stride [00:20:33]:
This is really going to revamp everything from communications to navigation to surveillance, automation and.

Karissa Breen [00:20:39]:
Right.

Eric Stride [00:20:40]:
All designed to increase safety, efficiency and capacity. From my perspective. Right. The most urgent part of this effort is the replacement of the core infrastructure stuff. You were just hitting on and so they’re actually. The FAA is actively seeking a prime integrator right now to develop this new flow management data and services system which is a massive overhaul replacing this current decades old traffic flow management system which is struggling with performance and maintainability. And so a failure in that current system is what caused the massive flight grounding across the US about two years ago. And it just underscores the need for a modern resilient replacement.

Eric Stride [00:21:21]:
And I think all of the attacks that we’re seeing recently is just putting more fuel on that fire. This modernization though does introduce what we call a little bit of security debt. Right. So an example would be a core component of NextGen is the reliance on ADS B, which stands for automatic dependent surveillance broadcast. And most folks who have followed aviation are familiar with ADS B has been around for a couple decades now, which improves situational awareness. But it has a critical inherent flaw. Its messages, which include position, identity, velocity, are fundamentally unauthenticated and unencrypted. This allows attackers to conduct classic cyber physical attacks.

Eric Stride [00:22:01]:
Spoofing where they inject false data to create ghost aircraft and confuse controllers, or jamming where they overwhelm communication frequencies to cause a critical loss of situational awareness. So this monetization is critical, but we have to pair it with immediate secure by design solutions like perhaps we need digital signatures on ADS B to avoid adding more security risk as we modernize the systems. Going to your point about the fear of the public, right? Many would say this fear is absolutely justified, but the media is also amplifying it. And so if we look at the visibility of all these high profile incidents, whether it’s physical near misses or massive cyber disruptions within the U.S. here, 65% Americans reported being more nervous about flying. Right. They don’t see these digital failures as just it glitches. They’re perceived as failures of operational safety.

Eric Stride [00:22:53]:
And that perception has consequences. And so it’s translating into action. Over a third of Americans have admitted that their anxiety has led them to change their travel plans, either by taking alternative transportation or canceling trips entirely. This behavior is amplified by negative sentiments and narratives being circulated across social media. And that actually presents a pretty serious threat to the long term growth and stability of the industry. So the industry, they need to respond. And you can’t promise perfect security because that’s impossible in this environment. Right? All of us in cybersecurity know that there’s no such thing as an impenetrable network.

Eric Stride [00:23:27]:
And so the the foundation of this modernization and of rebuilding Trust has to be demonstrating cyber resilience. It’s the capacity to minimize the impact inevitable attack, to ensure rapid detection, response and recovery, to maintain these critical services. So we’re starting to see regulators actually mandate that. So that’s a good thing.

Karissa Breen [00:23:50]:
Okay. There’s a couple of things in there that I want to get into. So in terms of impact, like I mentioned before, worked in a bank, right? So something happens, we’ll give you your money back as a bank. But when you’re talking about like aviation and stuff like that, like the supply chain, something goes wrong all of a sudden, you know, people can like lose their life as a consequence. So is this being taken into consideration, would you say? Like, I mean, it’s a lot, you know, when I was working a bank, like we can just generate some money in someone’s account, but I can’t generate someone’s life coming back. So that’s the convergence between, it’s, it’s starting to enter into this terrain of physical danger now. And these are things I’ve spoken about on the show before. Whether it’s a water plant, something goes wrong and the water gets infected and people drink it and then they get sick and potentially die.

Karissa Breen [00:24:37]:
So am I being like dramatic or what do you think about that? When I ask you that question, I.

Eric Stride [00:24:42]:
Think you’re hitting on something that’s pretty important there, right? It’s mindset shift from protecting data, protecting physical life. In traditional IT security, the priority is data confidentiality. But in aviation, particularly with all of the OT that controls aircraft and critical systems at non negotiable priorities, availability, integrity and safety. If a malicious actor compromises the integrity of flight data or denies the availability of a system like air traffic control, the risk instantly translates into physical danger and potential loss of life. And we have to take it seriously.

Karissa Breen [00:25:15]:
And this is the part, I mean, I’ve been speaking to people like yourself on the show for years and I think that this is getting into like these kinetic sort of issues that perhaps when we’re looking at just like, oh, you know, they saw some data, like all of that. Okay, that’s definitely not good. But like when you’re getting into like, oh, you know, a whole PowerPoint plant exploded and people died from it, like these are the things I’m starting to hear more come into the conversation I’m running on this show ever than before. So it must mean that this is a reality and this could happen.

Eric Stride [00:25:49]:
I would say that is a very accurate assessment. I think that is the, the areas where we have the Greatest risk is our critical infrastructure and key resources across the nation. And the cyber resilience of those systems are not at a level where they are adequately protected from cyber attack. And we have to, as a nation, engage there very aggressively in order to prevent the catastrophic impact of successful attacks on those systems.

Karissa Breen [00:26:21]:
And then going back to impact, and even like last year with the outage, for example, people started to wake up a lot more. I noticed just everyday businesses, corporates, thinking, well, we can’t have that happen. We lost so much money, we got angry cuts, customers on the phone. So would you say, given your background, unfortunately, it may have to get to an extreme catastrophic event for maybe people to start taking this stuff a bit more seriously?

Eric Stride [00:26:48]:
Unfortunately, that’s fairly accurate, right? It’s usually not until it hits home. It either hits your organization, your business, your government, or that of a close partner or ally before folks really take it seriously. Because there is upfront investment, right? And from a business perspective, most organizations are trying to minimize their, their costs and they see security as a cost center rather than as something that’s protecting their operations. And so that applies very much to the operational technology space where they historically had ignored cybersecurity. They’re getting wiser to the fact that they have to invest there, but it’s a trade off between how much are they willing to invest. And so I think it’s when organizations take a look at the full impact of the potential consequences that they then become more willing to invest appropriately in that security improvement, modernization, the monitoring the response actions. But if they aren’t taking the full impact of a successful cyber attack into consideration, they rarely invest appropriately. And like I said, they typically only do that after it either hits them or another organization similar to them where they’re like, oh, wow, how do I not become that organization? How do I avoid the same consequences? So it’s unfortunate that frequently you have to witness a successful attack first before it becomes real to folks.

Karissa Breen [00:28:21]:
So we just focus on like aviation companies, airline companies for a moment. Would you say that they are focused on this because that’s their business, that’s their core business and what they do. So would you say. Because, I mean, I’ve seen and I’ve heard people speak on the show in the past run, oh, you know, they cut corners in security, something happened, and then they’ve obviously had to go and do a whole bunch of work and, you know, completely revamp their security. I mean, there’s been major breaches in Australia from a PII perspective. They’ve had to really go back through and invest heavily and change the way they were doing things. But do you think like, airline companies are starting to do that or are they sort of just going, oh, you know, it’s going to be a big job, but I’m hoping we can sort of just get through it and see what happens?

Eric Stride [00:29:05]:
Or I think as a whole, it’s slow to adoption and regulation is going to force it. Both here in the US with what the FAA is doing with the integrating cybersecurity into airworthiness, also with what the European Union is doing with their regulation on information security and forcing these organizations to actually invest upfront and to validate their systems, meet expected security standards. And so for, like the European one, for example, I believe it’s early 2026 that airlines, airports and maintenance organizations have to comply with the compliance requirements to integrate improved information security into their systems and processes. So I think it’s a combination of folks realizing that, hey, these are serious problems, right? We’re seeing it with the significant increase in tax combined with regulatory pressure that’s forcing the companies to be more actively engaged in improving their security posture.

Karissa Breen [00:30:12]:
So I’ve watched a few plane crash documentaries. I’ve watched a fair few, actually. I don’t know, I seem to always find them when I’m traveling. But one thing that I know is there was one in the US Somewhere. They’ve got some subcontractor in he then when they obviously did the audit and they realized, hey, the subcontractor missed like 20 steps in doing the maintenance and that’s why it resulted in the whole aircraft crashing and people died. But if you look at that from a security perspective, if someone doesn’t do something and they’re flow on effect and all of a sudden it could lead to something catastrophic like that, something that people may think, oh, this thing I’ve got to do every week. Maybe they don’t think about it like that in terms of the impact that it has really on the front lines. Do you think? Because sometimes when we’re in security, we’re sort of behind our laptops or maybe we’re in our sock, but we’re not really on the front lines.

Karissa Breen [00:30:58]:
We’re not seeing the impact. We’re not up there dealing with the customers. Do you think sometimes people may not take their role in aviation from a security, information security perspective as seriously because they just don’t see it perhaps out of sight, out of mind or.

Eric Stride [00:31:16]:
Yeah, no, that’s. That’s the challenge of connecting it to operations. Right. We see that across many industries. Right. And I’ve seen it in my background, in my other roles as well, where even the IT teams, not just the management teams, the IT teams are kind of narrow visioned on. Well, this is, this is what I do. Right.

Eric Stride [00:31:35]:
And they don’t tie how decisions and failures in their, in their job have second and third order effects which obviously in something like aviation, right, that’s catastrophic potential impacts. And so tying the security of the system to the operational outcomes is critical. Right. And that’s a mindset shift that has to be driven from the top down. Right. That it is not just about it. This is about safety of flight. Right.

Eric Stride [00:32:08]:
This is about safety of navigation for waterways for those kinds of vessels. Right. This is for safety of operations for the military. Right. This is continuity of operations for the government. And because of our significant dependence on these systems and how they operate and drive all of these operational technology processes and systems, you have to draw that line, you have to draw that connection as a practitioner, as an IT systems administrator, as an IT security professional to hey, what I am doing is not just about the data here. It’s about protecting safety of flight for these operations, for the airplanes in the air, for the air traffic control system that guides them in for the systems on the ground. You have to draw that connection all the way out and the potential impact.

Eric Stride [00:33:03]:
And it has to be top down driven. There’s a leadership ownership there as well.

Karissa Breen [00:33:07]:
So would you say that’s happening or do you say it’s happening now because of the regulation and it’s like, okay, we’ve got to force your hand.

Eric Stride [00:33:13]:
I would say it’s probably more recent. It is definitely more of a being forced because of a combination of all of the recent attacks and the regulation. Not to say there wasn’t a voice before. There’s been a voice going back at least as far back as 2014 saying, hey, we really need to consider this stuff. We really need to work this into how we look at the safety of flight. But it’s only recently that we’re really seeing it take hold and enforcing people’s mindset shift that way.

Karissa Breen [00:33:43]:
But isn’t this how these businesses lose trust? And the only the issue with aviation as well, you sort of, you kind of have to use these airlines. I mean in the US there’s definitely more to choose from. But in Australia there’s like two major ones. So it’s like you need to get somewhere. You’re just going to have to go, well, I just going to have to go on this aircraft Got no choice. So do you think that maybe because they’ve got the monopoly in the aviation, it’s like, well, we can probably cut a few corners because there’s only a few of us. And you kind of have to, you’re, you’re reliant on these companies from getting you places.

Eric Stride [00:34:16]:
I don’t think it’s deliberate. Like, it’s not a, you know, hey, we’re going to cut this in order to. Because they don’t have a choice. I think it’s much more a result of trying to drive towards operational efficiencies. Right. And so I don’t think it’s deliberate negligence there. Right. Not to put a word in your mouth there, but it almost sounded like negligence.

Eric Stride [00:34:35]:
But I think you see some of these things that were previously considered less important because they weren’t factored in directly into the aircraft safety, airworthiness aspects that they weren’t given as much attention. And so now that they’re being factored into airworthiness, they’re going to be forced. So there’s going to be major consequences if those things are cut. Right.

Karissa Breen [00:34:59]:
So quick question. When you’re going on a domestic or international flight and they do the routine, a lot of the times I tune out, should I be paying more attention moving forward?

Eric Stride [00:35:08]:
You know, if you’re flawed enough to know, you know, where the exits are, where your life vest is, should you need it, you’re probably doing all right. Now, if you start seeing a lot of other weirdness going on, then maybe you want to pay attention a little bit more and reorient yourself to where those accidents are.

Karissa Breen [00:35:27]:
And Eric, what do you think sort of moving forward now? So any sort of closing comments, final thoughts you’d like to leave our audience with?

Eric Stride [00:35:34]:
Right. So while the aviation industry has faced its share of cybersecurity hurdles, there’s opportunity to strengthen these defenses going forward. Forward, it takes a lot of action in coordination. Right. It’s not just owned by one, it’s owned by the entire ecosystem. Right. And so in order to strengthen and to ensure security here, we have to look at the entire supply chain. I think regulation is going to help us force that way down towards things like enforcing encryption in places, or maybe there isn’t mandatory incident reporting schemes.

Eric Stride [00:36:07]:
Right. Having more proactive investments in adhering to resilient frameworks so that way the entire industry can try to manage the threat, rebuild the trust with flyers who are anxious about flying and thwart bad actors from gaining access into their critical systems and operations. And to be successful so it’s an industry that we are all reliant upon, as you said, right? We’ve all got to fly to get places. And so the aviation industry owes it to us to be providing the safest experience possible. And that means that they have to invest in securing their systems from cyber risks and cyber attack.