Home Interviews “Proprietary aviation systems are getting commoditized, which opens up security risks”

“Proprietary aviation systems are getting commoditized, which opens up security risks”

Security Risks in Aviation

The aviation industry has been heavily impacted during COVID-19 and has already lost $8 billion in revenue this year. Airlines and airports cannot afford to have more losses due to cyberattacks or fines imposed by regulators.

In an exclusive interview, Ravinder Pal Singh (Ravi), Chief Information & Innovation Officer at Vistara (Tata Singapore Airlines Limited), tells Brian Pereira, Principal Editor, CISO MAG how technologies like AI, machine learning, and robotics could be used to secure both traditional and modern infrastructure – and make airline travel safer for passengers today. Ravi talks about the security weaknesses at airports and mulls on potential hacking threats to aircraft.

Ravi is a Harvard alumnus and award-winning technologist with several global recognitions. He has been acknowledged as a leading Robotics Designer, a top 25 CIO, and an AI leader in Asia. He is known for his research work, which continues to make a difference globally, across multiple businesses and public domains.

Ravi is one of the speakers at the Cybersecurity in Aviation virtual event, which begins on November 25, 2020.

Edited excerpts of the interview follow:

Could you tell us about your day-to-day role in the operations at Vistara?

Vistara is a joint venture between Tata Sons Limited and Singapore Airlines Limited (SIA).  It is a full-service carrier. It has a remarkable history of two institutions — Tata and Singapore Airlines. It is now moving from domestic to international. We have two types of fleets — widebodies (787 Dreamliner) and narrow-body (A320) aircraft. We are a tech-driven airline. Thoughtfulness and innovation are our core values. And my role revolves around it — to ensure that systems are built — all kinds of systems of records from revenue to costs to engineering, to flight operations, to people.

The idea is to introduce the convergence of technologies ranging from data, which originates from objects, beautiful machines (aircraft), to people who fly those aircraft, to people who manage those aircraft, and consumers and customers who are using services provided by Vistara ecosystem. It’s about how all that information is converted to intelligence, through various systems of records, based on intelligence that comes through machine learning code, IoT, Big Data, and in certain cases, nodes are distributed using blockchain.

Fundamentally, I am a person who designs and builds robots, I write code, and I have to ensure that information is safe and secure. I ensure that prudent intelligence comes out of data and information which flows through convergence between humans and machines within Vistara.

I see that you have a background in AI and Robotics. How are you applying that knowledge to make air travel safer?

There are many ways of looking at it. One way is the current situation — how do we ensure that people who are traveling are safe from COVID? How do you ensure that their information is shared with the government and regulatory bodies associated with COVID? And you have to develop this framework in systems quickly.

This is already happening because Vistara’s systems are built on stacks, where you can track information and create intelligence. Less machine learning is used in this particular aspect.

We have this concept called “Counter in a box” where we can quickly create safe counters. And hence we can associate the PNR information of our customer with the health information that the government requires.

The second part is information with respect to flight safety, operations, and engineering. For instance, our 787 aircraft are based on an e-enabled platform. This aircraft is driven by software. Right from information that comes out of engines, information from the cockpit, and information related to all parts of the aircraft — that information is associated with flight safety, through engineering. So, if a part has to be changed, it has to be changed through our software. We have information for each part, in terms of health, longevity, and the overall environment and circumstances of this machine.

The third aspect is our e-commerce channels in the B2B and B2C spaces, where information is kept within the perimeter. Outside the perimeter, it is about how do you ensure that the state of information which is used for a particular e-commerce transaction, is safe and secure, while it creates revenues.

We are passionate about protecting the privacy and the transactional integrity of anything that happens through our e-commerce platform — either with travel agents or with consumers.

The last piece is our core systems — a system of records for people, for cost, revenue, network planning — how all these systems can talk while maintaining integrity both from the audit trail perspective and the overall infosec perspective.

There are four layers for how security frameworks ensure not only integrity of information, both data in flight and data at rest, but also ensuring that it helps to fly aircraft safely while managing revenues in a cost optimum way.

Aviation systems have been very closed and proprietary. These are largely isolated or closed systems. Today, these systems are being connected to the Internet. Even the ATC is embracing digital technologies. That presents new risks. How do you see the protection of legacy aviation systems that are integrated with modern digitally-enabled systems?

First, I’ll talk about proprietary. Let’s not limit this to only to aircraft, and also look at aviation and aerospace as a whole. It costs tons of money to build an aircraft, a rocket, a satellite, or even a launchpad. Look at Aerospace overall — a part of it is getting into the commodity space. For example, Low Earth Orbit (LEO) satellites are getting into a commodity zone.

Today, it is far easier to access launchpads across the world and launch rockets. 3D printing is coming into the manufacture of rockets in a much more powerful way. Instead of building a rocket with millions of parts, you can reduce the complexity through 3D printing.

So, the trend is moving towards commodity. Will it be an absolute open source? I don’t see that happening. It won’t happen because of the way the industry works and the different standards. What is the complexity of building and what is the capital to build a particular machine? That’s why they are proprietary.

Now we see software coming in and networks are getting software-defined. I see aircraft as a set of network devices that come together to fly. One day, a computational network engineer will come close to an aircraft maintenance engineer — or the other way around. They have to deal with routers, switches, and data flow that happens between them. And parts will become sensor-based; and sensors are now part of software-defined networks.

Does this increase vulnerability? It does. Is commodity software security typically known as infosec, geared for that? No. How to deal with this, in the mid-term, is to deal with proprietary software. Part of that proprietary software is getting into a commodity software through certificates, PKI — if you look at e-enabled aircraft, security is dictated by PKI platform (public and private key).

How does the Aviation industry view compliance and testing, particularly for infosec industry standards? 

More needs to be done in this area. But I give the benefit of doubt to associated agencies. For example, there are specific IATA standards for the safety of an aircraft. There are FAA standards, data protection standards, the data that originates from the aircraft. So, I am satisfied with those standards. But the overall framework, say, how an airport should be secured, how overall an airline should be secure, how airports and airlines along with aircraft lessors — how these three things should be secured, just as it happens in Financial Services and Insurance sector. There’s a lot of work has to be done here.

But for an airline business, the primary focus is passengers and aircraft. And then everyone else. I think the safety of both these parts is addressed.


About the Interviewer
Brian PereiraBrian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 


Disclaimer

Ravinder Pal Singh spoke to CISO MAG in a personal capacity and his comments should not be attributed to Vistara, Tata Singapore Airlines Limited, or Tata Sons Limited.