 So hi to everybody at the Aerospace Village and dialing in for our panel where we're going to be talking about the Hacker community and ISACs. I'm Pete Cooper, the director of the Aerospace Village, and I'm going to be hosting for the next 50 minutes. Now across the aerospace sector, good faith, security research has played a hugely key role in highlighting both risks and vulnerabilities. But if the researcher or hacker can't find a good point of contact, then approaches about potential vulnerabilities hasn't always been potentially welcomed with open arms. The Aerospace Village really looks to help build bridges and trust between the hacker and research community and the aerospace sector so that we can have those pathways to talk about what potential challenges there are and that we can work better and be more safe and secure. ISACs are seen often as a key point of contact for researchers and hackers who want to reach out if they think they've found an issue but also struggle potentially with reaching the vendors. So how best do we create those relationships across hackers and ISACs to learn the lessons of the past and build the trust that we need? To see what's worked, what hasn't worked and what we can do going forwards, it's fantastic to have just the right people to talk about this. So on the panel, we've got Aaron Miller, who's VP of operations for the, I think, FEDSA newly minted space ISACs. And soon reaching IOC this year, we've got Jeff Troy, who's president and CEO of the Aviation ISAC. We've got Ken Monroe, partner and founder of Pentes Partners and also Carpool Karaoke today. And then Matt Gaffney, who is managing director of BSSI, who actually has an aviation backdrop in his photo. So I'll pass over to you for short introductions and then we'll get onto the panel. So Aaron, over to you first. Hey, good day, everyone. Glad to be here. As Pete mentioned, and thank you, Pete, for that great intro. We are a new ISAC. I came to the space ISAC actually from a public-private partnership background. So I've been working to bring together the commercial sector and the public sector for sometimes several years. Traditionally, just working in rapid prototype development and ideation brainstorm sessions to generate solutions in particular for the warfighter. So that's more of my background. Very excited for the future of the space ISAC and I've been working for about over a year, about 18 months or so, to stand up the space ISAC and get it towards the initial operating capability that we need for the sector. Thanks, Aaron. And looking forward to seeing where it goes. And then over to Jeff. Thanks, Pete. So I'm the president of the Aviation ISAC for the last three and a half years. I've been with the ISAC for five years since its inception, just helping them stand up initially in their project. I'm also on the board of directors of the National Defense ISAC and I also work for General Electric Aviation. Fantastic. And then Ken. Hi. So I'm sorry about the backdrop. Two days ago I was sat on the cockpit of a 747. So that would have been better, surely. Anyway, I work for a firm called Pentes Partners. And usually several of us are pilots. I'm not a very good pilot. I'm the guy who landed the wrong airfield once, but we do have a keen interest in aviation. And for the last couple of years, we've been working on decommissioned airframes, starting to understand how the networks work and how the security of airplane systems fits together. Fantastic. And then last but not least, Gaffers or Matt. Hi everyone. Matthew Gaffney. I am the managing director of the BSSI UK, where I work with multiple clients across various sectors. But I have worked several years at the airline or operator level, working with the entrance and service of new E-enabled aircraft. So coming across challenges and obstacles in the entrance and service of aircraft and basically doing assurance across the whole piece. Fantastic. And great to have you all. And it's a great spread of experience across the entire panel. So I'm going to start off with Ken. And you've been working with ISAC across various sectors for quite a long time now. So finding vulnerabilities, potentially not getting much out of a vendor, and then working with the ISAC is fairly common for you. So from your perspective from from what you've seen, how do, how do ISACs fit into the picture for, for researchers and hackers? Yeah, I find actually ISACs make, they make a really good set of connections for us. So if you read our blog many times over, you'll see that when we find a vulnerability, often it's not the vulnerability that's the story. It's how the vendor actually responds and interfaces with a security researcher that makes a difference between a really smooth, seamless and a straightforward vulnerability disclosure process through to being a bit of a train wreck, frankly. And I find that the work we've done with ISACs over the last few years has really smoothed that process. Typically when we're working on, I don't know, embedded components, maybe in IoT, you find something and the vendor just doesn't listen, they don't get it, they don't understand. But you tend to find different problems in organizations that perhaps a member of ISACs because they're just so big. And how does a little research operation like ours get through to the very right person within a large, whether it's an auto manufacturer or a CNI operator or an airline? How do you find that right person? And how do you get them to listen to you? And that's where we've found the ISACs have been really, really helpful is by having a connection by establishing trust. It's great to get those connections that mean that it's not just scrabbling around on LinkedIn or sending emails into some generic mailbox. It's actually, it's a conversation and then a private broker discussion, which is where the ISACs have been so unbelievably helpful. And it makes a real difference. Okay, that sounds great. And it sounds like it's worked. It has worked well in the past. I mean, Jeff, from your perspective, having been at the front of the ISAC for quite a while now, I mean, so you first got introduced to the Hackers Summer Camp in Vegas when you came on a panel with me at B-Sides a couple of years ago. And the conversation we had around that, because you were dealing with some vulnerabilities at the time, it was great to see some of the ideas that you were coming up with about working with the Hackers community. So what's been your experience as the ISAC with starting to work with the Hackers community now? So our experience has actually been a lot like Kent's. Initially, what we're finding is Hackers are coming to us. They're either coming through a friend that they know, they're coming through us because of connections that we've made with government agencies. Or in some instance, we've actually had some companies call us and say, can you talk to this person first? Because we're not sure we even want to talk with them. So there was a lot of, I think a couple of years ago, hesitation or just a little skepticism with respect to dealing with people who were just calling in and saying that they had some information about a particular vulnerability. So that was probably one of the first challenges. And in our discussions with these folks, we found most importantly that they've come with great intentions, just good intentions. We want to really show you something that we found. And most importantly also, they're coming in and they're saying, I'm not telling anybody about this because one, I'm not really sure what I found because that's one of the problems too that we find that someone finds, for example, a vulnerability within a component of a system. They're not really sure how that impacts the whole system. So really good that people have come in and had one good research, two good intentions, and then three, Ken highlighted this as well. We act really as a connector. So I mean, if you come into the Aviation ISAC, we don't have a setup like Matt Gaffney behind him there. And we don't have any airplanes. We don't have a lab. We can't test for this vulnerability, but we do do that connection. So the ISAC is a community of researchers in product security, network security, and threat analysts. So one thing we do have is just a great network where most times a researcher will call us and within about 24 hours, we've got them in touch with product security incident response or a similar type person inside that company. And we're starting to help that conversation along. But once that connection is made, actually, we pretty much step to the side and let the people who actually built the technology and the researcher who has this vulnerability information, let them have that direct conversation. Thanks, Ken. And that's actually a nice segue through to check with Gaffers, because Gaffers, you've just gone through this process of finding a potential snag or two on some systems and actually started working with the ISAC and other organizations to try sort of getting to the bottom of it and closing it off. So what's been your perspective of that journey from finding something to trying to close it off? Yeah, so I was writing a paper about some of the things I had seen and I was curious about how much I detail I could go into without causing alarm distress or basically overstepping the boundaries. So through the community, I reached out to the Education ISAC to get some advice. And one thing I noticed was within 24 hours, I noticed the hits on my LinkedIn profile just exploding. It was just full of people from all sorts of manufacturers. And it was in stark contrast, really, with similar interactions which I'd had whilst I was working at the airline, where maybe a week later, you get a response and the response was very, very tepid indeed. So that was really the first difference I'd noticed in going through the aviation ISAC. The second time around, the official vulnerability disclosure procedure had been developed at manufacturing level, again, I think with help from the aviation ISAC. So we decided to use that mechanism. And although the initial holding response was quite quick, it was about a working day in response, the actual full response took four and a half weeks. And that was because I was chasing, which I thought was a little bit slow myself. It wasn't a highly technical issue. It was quite, quite simple. And the response was no different from the first time I went through disclosing a vulnerability with a manufacturer. Basically, it was the scenarios and the hypothesis. I'm not credible, therefore, there's no vulnerability, which is a very strange opinion to have on risk management myself. I rebutted with some comments from the official response and they were left unanswered until eventually I got to this matter as closed email and that was it. So the difference, I suppose the outcome was very similar, but I would say the response, the initial response was much better because the first time I went through this, it took several months to get to any kind of satisfactory resolution, which it wasn't in the end really. It was only a halfway house, but with the aviation I said, going through the official process, it took weeks instead of months. Thanks for that. I want to come to it in a second, but can I just go for a straight way follow up question to Jeff on that, which is if on one hand you've got a researcher such as Gaffers who's saying, I think I've found something, but the response from the manufacturer, the vendor is, well actually there's nothing there, but we can't really tell you there's nothing there with the ISAC in the middle and you're funded by the manufacturers. How do you reconcile that? That's a great question and I think it's kind of like that great abyss that is so hard for us to get across. So when you have a researcher who has information and they believe that this is a vulnerability, particularly one that needs to be addressed, as I said, we can't validate it. I don't have the equipment, I don't have the specialist to be able to do that. The best I can do is get you in touch with the right people who do have it and hopefully through the relationship builds that have happened over the years that there'll be a good exchange there. When you get to a situation where the process has been completed and the manufacturer is not validating that vulnerability has any impact, I think it is an extremely difficult situation at that point in time because you've got someone like Gaffers, they've got an incredible mindset, right? Hey, I'm challenging things that people are saying or secure and I am not sure that this is because of something that I found and that is what I think is the treasured trait of every security researcher. Their ability to dig in and try and find a way around the system that someone said there's no way around is what leads to the great security research that we have. The unfortunate part is that if someone has tested it against that system and they know why it doesn't work and they don't want to pass that information back over to the researcher, then you have this gap because the researcher's mindset is, hey, I think this is great, you need to show me how come. Now you have that question of where does my intellectual property and my security controls stop in respect to trying to protect them and where does the research information kind of come together? How do we meet in the middle there? That is something that I think is going to take some more time in terms of that conversation and how much people are willing to manufacture specifically are going to be willing to share in that area. There's been a lot of great work. Pete, you've done a lot of work trying to bridge the discussions between these communities and we've seen pretty much a community that really wasn't talking to researchers at all, really starting to embrace them now and have a lot more conversations, which has been good for both. I think the researchers are finding out, hey, these are good people trying to secure really high technology and the companies are saying these are really good people who are trying to make sure that technology is well secured and I haven't found a way. So this is all good in my mind in that the process of building trust takes a long time and I think things are moving in the right direction and it's these types of conversations, these environments, the village, these things that are happening that are going to continue to bring together the parties and try and close that gap of when you have these types of situations in terms of what the manufacturers will be willing to share in terms of information with the researchers. Thanks, Jeff. That sort of brings it around nicely to probably the newest ISAC on the block in the aerospace sector, which is Erin and the space team. I mean, Erin, all of the conversations that have been sort of like going on there with the challenges and the opportunities that the aviation ISAC has gone through and Gaffers and Ken as examples of the researcher and hacker community. With you sort of being these sort of newly minted IOC later on this year Space ISAC, what's your sort of vision going forward for how you want to play this and how you want to take the Space ISAC forwards? It's muted. Thanks Pete. I think since Space ISAC is new and we have sort of a clean slate here, then there's a lot of opportunity to leverage the lessons learned. There's almost like a legacy of how ISACs operate and some things good, some things bad. We want to make sure that we fully explore and understand what we can do the best. Listening to everyone talk, then I think there's some great takeaways. Having that open line of communication available and we have that today. We are currently accepting communication to the Space ISAC at our info at stashisac.org email address from anyone. I would say that part of our vision starts now. I would encourage anyone to contact us with ideas on how Space ISAC can be that broker between the public and private sector, but also that extends to researchers. Part of the vision of Space ISAC does include that we have universities as members, so that makes us a little bit different than some other ISACs, not all. We also have international members, so that makes us a little different too. I think it's really cool to think about space as a global community. Other ISACs have done and we intend to expand out and have members from all across the globe. Since not everyone here is familiar with Space ISAC, just a little bit of history, it was launched by the White House. That's interesting in and of itself. The White House for representing the U.S. government came forward and said, we really want to see the public private sector come together and share information about threats and vulnerabilities about regarding the space community. After they made that announcement, then we were able to start going out and asking members to join the board. We're still very new and that we just opened our general membership on May 1st of this year. When we hit our IOC, that will mean that we have the ability to actively share threat intel through a threat intel platform. We'll also have workshops and events that are available to the space community published at that time. That's coming later this summer. Now is the time definitely for us to open that line of communication. We would invite, like I said, anyone's perspective on how to stand up the best vulnerability disclosure program. I've already talked to some of our board members about doing that. Really looking forward to the opportunities that we can bring to the space community. This one will make us even better. I believe that an ISAC really is the prime organization to be able to have this type of dialogue and to engage in this way. So thank you. No, and that's great. It's great to hear all the work that's going on the background. A lot of the focus is on mission critical. That's the mantra that always gets talked about with space ops. A lot of the discussion for aviation will be safety and security, so driving as low as reasonably practicable. With the space sector and your members and what you're hearing from your side of it, what's the general feeling at the moment when it comes to cybersecurity? Because people tend to banter that cybersecurity of space assets is generally, I think the expression I heard the other day was in the 80s. Obviously that is going to be something which is openly debatable, but what's the general feeling about maintaining that mission critical status and having cybersecurity up front and focused on that and then looking for the vulnerabilities and working and open to working with researchers. Are you getting that feeling from your members and the people you're speaking to? The feeling I get is that more information is better. So if information comes to the ISAC, then it's our job to get it shared with the members that it is most relevant to. They're already operating in that role right now. Cybersecurity for space or security for space is very broad and the general feeling is that we should have stood up a space ISAC two decades ago. I think maybe that's what your comments were indicating because there's a lot of vulnerabilities that hit cybersecurity, hit the business system and they actually have a lot of relevance specifically to space applications and other entities might view them differently. But if you're a space company, then you really need to know the direct implications of that threat to the space mission. So it is definitely all about space mission and protecting the space critical infrastructure and that's where our entire focus will be. So if somebody has access to information that is related to a threat to space critical infrastructure, which will eventually publish what that means to our members, what is space critical infrastructure and that'll help scope some of that discussion. But I mean, if you define it as space critical infrastructure and you think that the space ISAC should know about it, then I would say that's what our members are going to care about from what I can tell. We've actually also engaged in a partnership I should mention with the Air Force Research Lab that runs that hack-a-sat that's happening this year right now. And so just even that step forward shows me that the members are really excited about partnering on challenges or developing our own challenges that will be open to the broader researcher community. Thanks, Heron. Yeah, and to be honest, it's just nice talking about aerospace cyber security and having hackers and researchers working together because it felt like three years ago that talking about vulnerabilities in aerospace systems is something that we didn't really want to do. So actually, part of this is building up this dialogue so we can have that as an informed dialogue. But as we go forwards, I think, I mean, we've all had conversations in the past about trying to make sure we learn from what's happened in the past. So really trying to dig into some of these challenges is what's been, and I'll pass it over to Ken, what's what's been the sort of the standout sort of examples of where things have really worked well and made a difference and where things really haven't worked well. Gosh, there's a few of those. I want to pick up on a point that Jeff made, and you used the word new, which I think is actually really important here. Because cyber security research in aviation is pretty new. I mean, we've been working on airframes for two and a half years now. And you've got to remember, this is an issue that's perhaps is very heavily regulated. It believes it has safety well in hand, so it's extremely open to inspection, but also fiercely protective of intellectual property, rightly so too. So this is a new thing. The industry is also hurting at the moment with the COVID-19 issues, and also smarting at it from some of perhaps less helpful coverage in the past around aviation cyber. So I think it's really important we talk about building trust in this community. And what's often raised as a subject when you're doing vulnerability disclosure of non-disclosure, and that's a really sensitive area. So it's pretty rare outside this space that you be asked to sign a non-disclosure agreement, but also you have to balance that with as a researcher. Do you want to know more? Do you want to understand in detail? But at that point, you might consider signing a non-disclosure agreement in certain areas that allow the manufacturers to talk to you in more detail, feel more like they've got more trust in you, that you're not going to take everything that they've told you and splatter it across the press. And I think that's a really, really important point. So I think many researchers should think carefully about that, or maybe we should consider actually NDAs for certain areas, perhaps certain bits of discussion do need to be discovered by non-disclosure and certain, well, maybe not so. And I think that's a really important learning point. And I think that also leads us back into some examples of where things have gone really well and some examples of where things have gone really badly. I can think of the biggest issue just being generally where there's no communication. So where the researcher does what they believe to be the right thing, makes communication establishes, discloses everything they've got. And then things go quiet for a while. And it may be that the vendor in that case is actually working really diligently exploring every option and trying to add some detail, but they don't communicate. And I think in Gaffer's case, that's potentially what went wrong there. Perhaps if there'd been a more regular dialogue with the vendor reaching out and going, hey, I know we haven't spoken to you for a part of this. I think that would have made you feel a lot happier about things, Hey, Matt. Yeah, absolutely. Yeah. Yeah, I just felt that the communication was a bit curt in general. And it wasn't an open flowing dialogue at all. It was very much, yeah, thank you for your submission. We'll look at it. And then nothing else. There was no questioning of what I had proposed and no questioning of what I'd submitted. It was just that, yeah, we'll take it away and look at it. And that was it. It was just, and then when I chased them for an update, it was like, oh, here's the response. There it is. That's it. And annoyingly, with my work at the operator level, I actually knew a lot of these people anyway. It's not like I've never actually met them in person. I have. So to not have that level of trust, I think, is really disappointing. And it is something where I think, you know, the whole industry, researchers and the manufacturers could really improve. That's a good example of that. So, you know, compare us to where we were perhaps a year ago with Defconn and Black Hats in 2019, which was perhaps partly a difficult time for the aviation cyberspace. But, yeah, here we are a year later. And for example, you know, Boeing is going to set up a cyber technical advisory council actually inviting researchers onto the inside. I mean, what a huge win that is both for researchers and for the industry. It's, it's fantastic progress. And I think it's amazing that a vendor who was perhaps, you know, really hurting from some, some difficult coverage last year and a difficult interaction with researchers has now completely come around and engage practically. And I think that's a huge step forward. So it is new. It is new to the industry. But yes, it will take time, but trust is being established. Jeff, you want to come back on that? Yeah, I just actually took a down a note here because I want to make sure I share it with all the members across the ISAC. And what I wrote down basically is a vulnerability disclosure program does not equal a link on a website. And I think that's really important point here, right? I mean, we've got all these companies out there who are now, you know, making it easier for them to be contacted. But it doesn't end there, right? So I got your submission. I need to have that conversation. I need to engage, you know, with this researcher. And I think that's just a really important point. I'm really glad you brought that up because that's a part of the maturation process, you know, okay, the door's there. But if you don't answer the door and welcome the people in for the conversation, then, you know, it's kind of an odd relationship. They're just standing on the front step, right? And so we need to bring them in the living room and sit down and have the conversation. Yeah, I think that because, yeah, researchers spend their own time, their own money, their own efforts, doing this. And it's great when we feel valued. And, you know, we can help, you know, the aviation industry can benefit from what we do. It's just that level of value interaction makes such a difference. And actually, if you look at the researcher and how to find something and then approach, tries to approach and do the right thing in talking through good faith research and saying, I think there's an issue here. A lot of the risk is really on the researcher. It's not really on the manufacturer. So a lot of that effort, I think really has got to come from the vendor to say, we're open and we're willing to engage in all of this. Jeff, one of the areas that I think is quite contentious in security research in aviation is a subject of nondisclosure. Where does the ice axe sit on that? So great question. Really, the issue with the nondisclosure is that if you sign a nondisclosure agreement with someone, there's still a risk that they're going to violate the nondisclosure agreement. And although there's recourse, if someone violates a nondisclosure agreement, what you wanted to keep protected from being publicly disclosed ends up getting out there. So this is, again, a matter of trust. And you've seen this, Ken, because you have a company that does pentesting. Not every company wants to hire every pentester. And that's one of the problems. It's like they're looking a lot of times for companies that, hey, have you worked with these guys before? Have you worked with these pentesters? Do you think they do a good job with a actually hold your intellectual property close? Those are the types of questions that I'm sure you've had grilled as you walk into different engagements. And that is one of the problems, particularly for newer researchers. Because it's like, well, what if you don't know me, right? I've still got great research. I'm a very trustable person, but we just don't have a history yet. And that is a situation where I think it may be solved by the community building itself up. As the community builds itself up, other researchers who do have, let's call it street cred, right out there, they're able to vouch for people who have come in and say, well, I've worked with that person. I know that person. Those types of trust building activities, I think are going to have to happen to support the idea of entering into an NDA with a new researcher. There are lots of benefits as well, I found that may be very, very specific non-disclosure agreements. It means that the airlines or the manufacturers can actually bring you and show you things that you weren't able to see through your research. I've been involved in that and was invited to a factory tour where we showed things that we couldn't talk about in public, but it allowed the jobs to be joined. So we understood why certain issues were mitigated in a certain way, but we couldn't possibly talk about in public. I mean, can I just, we've got to be, I just want to unpick some of the language, because when we talk about building, building up and using street cred and things like that, I mean, surely we need to get to a position where irrespective of who is bringing up, if it's being brought up in good faith and being engaged on good faith, whether somebody's got street cred or not, we've got to make sure that they are listened to, because if we go to the safety critical aspect or from the space perspective with Erin and her team from a mission-critical aspect, if anybody brings up a potential safety issue, then the safety management team are behoven to listen to it, irrespective of who it is. So surely we've got to go for the same perspective when it comes to researchers and them trying to flag issues. I don't feel there should be a gate of entry of credibility or not. It should be we've just got to have that dialogue, and they've got to be able to reach people. Gaffers, you're nodding a lot. Well, yeah, because I mean, I get a lot of, you know, imposter syndrome in this industry, because I'm not a pentest. I'm not, I'm not a spend my life, you know, reverse engineering IOT and doing all this kind of stuff. I was just doing information assurance on behalf of my client and found these things. And yeah, like I said, I'm not a pentest. I'm not, I haven't really caught myself a researcher until recently, when I kind of thought to myself, well, yeah, I'm actually doing things in my spare time, looking at things using open source documentation, etc. etc. And yeah, I suppose I am a researcher, but I never really thought of myself that way, especially when I did these disclosures. So yeah, the bar has to be not your cred, it has to be, you know, you're coming in with a with an issue, and like I said, we're doing it in good faith. I mean, Aaron, from your perspective, and how you're building out the the Space ISAC team, are you are you looking at the the structures and processes of how you can potentially engage in this way to try and make sure these these doors are fully open? Yes, so I've started the conversation with the current members of the Space ISAC. And as the Space ISAC grows, then I think this will be a conversation that we have with everyone who joins the organization to ask them about having a vulnerability disclosure program, what their experience is with that, and making sure that we can shepherd the conversation from the point, you know, where someone knocks on the door to us, opening it to us, having the conversation to then, you know, brokering the conversation with the member. And I think the only way to really do that is to, like I said, talk to members when they join the organization about their perspectives on this, because otherwise, you don't have a cultural adoption of it. Because that's really from what I'm hearing from everyone, then that's what this is all about. And that's great for me, because that's the kind of stuff that I love. Like when I did design sprints with the private sector in the government, then that was all about changing culture. And so shaping culture is mostly driven by conversations and introducing new ideas and then kind of testing them. So I think that's what we'll be doing in the Space ISAC, is if someone knocks on our door, then people, someone has to realize that if they knock on our door right now, then it's the first time it's ever happened. But we're willing and open to taking, walking the path with them and having the conversation with the company or the member that has the vulnerability that they're approaching us. And I'm just going to pick up, though, because culture, yeah, massively important, but with both aviation and space, as had been previously mentioned, is massively highly regulated. So regulators are there for both safety and security. And last year, there was a massive step forwards where, for example, IKO, which is the UN body for aviation, actually has a line in their cyber strategy now, which says that states must give adequate protection to good faith security researchers, which is great. So from a very top level at IKO and the UN, this is sort of being recognized and hopefully will filter down. But what's the what's the relationship like with, for example, the regulators in this space? Because this is a safety critical industry. If a researcher is flagging potentially a safety critical issue, who really gets to decide whether it's safety critical or not? And from your perspective, is there that structure yet in whereas you would see in the space sector? So obviously, the space sector is regulated, but it's not as regulated as it could be, and maybe will be in the future in terms of cybersecurity. So I think the Space ISAC, part of the intention of standing it up is to promote dialogue with perspective regulators. So in the future, there will be agencies that are responsible for managing space traffic management. They could send regulation down as a result of that designation. And the communication between the private sector and that agency is critical, and that's what the Space ISAC is for. So we have at least 18 different agencies that we're partnered with informally right now, and we're working on formalizing those partnerships. So I believe there's a lot of opportunity for the interactive dialogue. We're already, we are seeing it today with certain agencies contacting us and asking for information to be shared in both ways. So they share information with us and as we're able to, we share information with them. And, and hopefully, and you can tell us how this goes potentially, whether yourselves can be an advocate of, of why good faith, security research, and working with the research community would be good across the space sector. I mean, the work from what you're talking about there, it sounds like that you're going to be quite well at the forefront of that as the Space ISAC. Going back to the regulatory perspective from an aviation side, Jeff, from the aviation ISAC perspective, if, if somebody comes to you with something that you think could be a safety critical issue, do you deal with that differently compared to if it was an issue on a non-safety critical system? No, we really don't. So what we do is, again, we're, we don't have the capacity to validate whether or not it is a safety critical issue or not. I mean, there may be an assertion from the researcher that it is, but we don't have the ability to make that conclusion. So we're going to be providing the information by linking the researcher up to the manufacturer and letting them go through that process. If it's a safety critical issue, the manufacturer may be required under their regulatory requirements to actually make a report to their regulator as to what the particular issue is and then how that's going to be resolved. So there's, you know, there's a whole body of governance over the manufacturer is to have to, you know, make those types of notifications. And there are also lots of other front doors that the researchers can use, for example, so DHS has a front door for researchers. I don't think the FAA has a front door for researchers. But I mean, Ken, have you seen the different pathways that have been used? Yeah, so we haven't struggled so much recently. And I think that's partly because we've had access to ISAC and who know who to ask or can make a subtle introduction if required. But I have seen other researchers publishing on Twitter saying, has anyone got a security contact at X? And that's a really difficult way of, I think sometimes it draws attention, sometimes it's unhelpful. And I don't know if that's the most constructive way, but it does reflect a lack of ability of the industry to receive research. So I'd say to researchers, try a bit harder. But I'd also say the industry, listen a bit harder and make it a bit easier. That sounds like quite a good segue to start wrapping up. So Gaffers, have you got sort of like final thoughts that you want to sort of having been talking about this for a while now and having gone through it yourself? Have you got sort of like some wrap-up thoughts from yourself? Yeah, I mean, so from an airline perspective, a lot of the cyber security controls come down to the airline as recommendations. So when you look in all the documentation and the regulation paperwork, there's nothing that says you have to do this. They're all recommendations. And a lot of the documentation, they will dedicate 95% or more of the words towards non-cyber stuff. And it's a tiny little bit at the end about, well, think about doing this. And I think that, and the manufacturers as well, they will provide their own recommendations of security controls to put in place. But then there's a disconnect because the manufacturer will have done their risk assessment. They will know what the risks are, produce recommendations for the operator to implement. But then the operator implements them with no way of assessing their quality, because there's that disconnect between the risk assessment which the manufacturer has done, which is obviously a secret, and the work that the operator does. And I think that there's something in the middle there that's missing, and it could be the regulator, it could be the ISACs. And I don't know, but I think there's a better way we can do this, everyone. Oh, really, from the, although there might be one front door for the researchers, it's all of the network of communications and information sharing behind that that also challenges remain. Yeah. Okay. Ken, you were very pithy earlier, so I'll give you one last chance. So I think one key point is security research is happening in aviation more and more. Partly on the back of COVID-19, airframes are being retired. I was offered an entire operational 747-400 that last for a month ago for 200,000 bucks just this week. Okay, I didn't have engines, but everything else was intact, plug it into ground power, the whole thing works. So yeah, 200G is a lot of cash, but it's starting to come into the price range of research firms. So more and more research is going to happen. So now's the time to take the opportunity, engage with researchers, make it easy to interact with them, and let's step up. Fantastic. And then I'll come across to Erin for yourself next. Yeah, so I think the way forward for the space ISAC is to take the advice and the lessons learned from this group in particular and others. I've talked to some other ISACs as well out there to get insights and perspectives on how to do this the best. Space ISAC does have some interesting things in its future. We will in 2022 have a vulnerability lab. So that may bring in a different dynamic to the space ISAC and open some great opportunities to do testing of vulnerabilities. Definitely don't want to have anyone leave thinking that just because it's in space, the community can't be hacked. So we're really looking forward to the future and engaging the researcher community and hope that someone actually reaches out and shares their ideas because I really want to read them and follow up. So I'll drop the address that I gave before info, INFO at s-ISAC.org. Feel free to hit me up. Thanks. No, and I think we all look forward to hearing about your ISC coming up and look forward to how you take it forward and being there to help you and the communities go forward. And then Jeff, you and I have had these conversations a lot. So it's great to have you here. Wrap up force from yourself please. So I think something that Ken highlighted is just critically important, right? I mean the fact that people particularly because of COVID-19 can now get more access to equipment, that is going to absolutely open up more research being done on planes. So that fact is critically important. And the other thing I think it's been a theme through the whole conversation we've been having here is that communication and building bridges is just critically important between the community and the industry. And so as we continue to strengthen that bridge and have more of those conversations and good exchanges, again I think people are just going to continue to see that on both sides of the equation here there's just really good smart people who have common ground with respect to safety in the industry. And keeping that conversation open and that mindset open is going to help these great ideas get passed back and forth and just make the whole industry more secure. Thanks Jeff, and thanks to all of you. I think it really shows from all of the themes that have been picked up that actually there is no straight path to building trust across such a diverse group of stakeholders. There is no one right answer for how best we can help the research and community work with industry. But the one thing we do know that will help is conversations like this, learning from each other and actually trying to positively engage across all of those different stakeholders. And have a good drumbeat of communication so that when people are flagging things up, but then it's actually a good positive engagement all the way through. And that's the way we learn all of us together and that's the way that we can help the industry be safer and more secure. So I just want to make a huge thanks out to all of you. This is in the heart of the envelope of exactly what the aerospace village is about to try and help build bridges and the community around such a great topic. Please stay safe and look forward to chatting with everybody on Discord and straight after this for about an hour. Thank you very much.