 aerospace systems a changing paradigm and how you can help. First, let me quickly introduce you to our presenters from TALIS. We have Yannick Leray, Head of Pre-Sales and International Development for Cybersecurity Consulting and Operations. We also have Lawrence Rowell, who is the Director of Product Cybersecurity for our Connected Cabin and Inflight Entertainment Systems. And finally, we have Natalie Fate, who's Chief Information and Product Security Officer for our Global Avionics Systems. The focus of today's session is to show how industry design attack learn and improve critical aerospace systems to cybersecurity avionics, passenger systems, and air traffic management systems. First, we will speak to the changing requirements and what digital transformation has done for cybersecurity. Then we will explain our paradigm shift with respect to the design of our systems. And finally, we will talk about how we integrate good faith hacking and create a chain of trust. So let's start with Yannick to talk about digital transformation and cybersecurity. Yannick, over to you. Thank you, Adam. We wish we would be there physically. However, due to COVID-19, we're in this virtual presentation. Hopefully we'll be there all together next year for the next DEFCON. So now let's talk about digital transformation and cybersecurity. Today, aviation sector is leading to digital transformation. This playground represents an international and complex ecosystem with a wide threat surface exposure for attackers. As you can see in this slide, there are many targets to be protected. And some of them we can talk about the air traffic control and air navigation systems. We can talk about the connected aircraft, the airport, the airline maintenance control center, as well as the UAVs and droves. This target is associated with multiple risks and has country's exposure. And therefore, we need to be coherent and with a global approach to better understand and reduce the risk. As I said previously, aeronautics environment is leading to digital transformation with an open and connected world. Digital transformation leads to data driven organization and therefore cyber security. Knowing that for aeronautics, safety is the first priority. We must secure stakeholders trust as well as safety critical aeronautics system putting the passenger as our first priority. No digital transformation without trust, no trust without cybersecurity. This connected the environment raises two charts for aerospace ecosystem. First, safety and security state requiring to keep up accuracy in a safety environment, setting up cyber security conditions across all system life cycle. And second, business continuity, needing to value cybersecurity to help prevent business operational disruptions. Now, let's talk about the hackers in these environments. We're going to talk about ethical good faith hackers. And at this, we aim to provide the best possible practices. And we want to make sure our solutions and services as well as our customers infrastructures are cyber secure. And would therefore we perform, for example, risk analysis and pentest using our own hacker, hackers, sorry. And for sure, we're talking about ethical hackers and ethical talus hackers. These hackers can actually internet. For example, from one of our air national navigation service provider customer, we've been able through some services that we provided to them through a contract. We've been able to penetrate their power generation systems. And this was enabling us to go into their, their server, which, which turn on and off the whole air traffic center. All this through our own facilities in France going in their own air traffic control, where it was not for sure in France. And other tools that we have are specific simulation environments. As you can see in this slide, we have the red team versus the team with our simulation environments, we're able to implement the infrastructure of our customer. They're operational infrastructure, where the red team is our own hackers, which mission is to of course attack and vulnerability of the system. And the blue team is our car. Our customers in this environment are there to be trained and see if they are cyber secured. Also, their system is cyber secure. More and more, we need ethical hackers able to master specific sector expertise. This sector expertise is very specific. We're not talking about only ISIT. We're talking about operational technologies. More and more, we're, we're facing attackers who are, who are aiming at this type of equipment and trying to, to be more and more specific to where they're attacking. And I know the floor to Lawrence will develop more on what we do in terms of avionics. Lawrence? Thanks, Janik. Okay. So when we're talking about this changing paradigm, it's really important to understand the current and historical state of affairs. In other words, how has security been managed to this point and why? And then we're also going to talk about what is changing to drive the new paradigm. So at TALIS, the high level approach to cybersecurity is defined by nine cybersecurity rules. One of the rules is really important to this audience in this conversation because it speaks directly to penetration testing. Oftentimes, we use a gray box approach with third-party pen testers and we give them a limited amount of information so they have some understanding about the system components and overall architecture and they can test all the threat vectors. This is, this is good and it's a great start considering where we are today, but it also serves as a very good example of a security practice that does not really reach its full potential. The model I just described is performed by a limited number of people for a limited amount of time. We also, they also only have a limited amount of information and it's done in a closed environment that is not really remotely accessible due to policy and other technical limitations today. This approach does not really leverage the full power of the good faith hacking community and ultimately it results in what can only be called as a limited snapshot into a product's security posture and we must admit the culture of aerospace and aviation has really kind of contributed to this approach that we have today. Vulnerability management in aerospace and aviation is pretty difficult. Updating the product in most cases is not easy and this is even true for the non-safety critical part of the aircraft. It usually takes a lot of time, a lot of money and usually a lot of lost revenue to update the system, the aircraft systems. Historically this has kind of contributed to a closed type of thinking along the lines of hey if we don't look hard enough we'll never find anything and therefore we must not have a problem. The good news is that this mentality we're seeing a change with this. In a recent Atlantic Council survey 84% of aviation professionals that were polled indicated that cybersecurity researchers are good for aviation. Now is the time for the industry to improve and we can do better. But first it's important to understand the factors that are driving this shift in thinking before we try to answer the question of how we do better. Let's use the cabin of today's commercial aircraft as an example. It makes sense to look here first for a couple of reasons. This portion of the aircraft is not deemed safety critical therefore it lends itself to the fastest changes and is going through a rapid evolution in terms of the technologies and systems deployed to satisfy the airline customer. This means this area of aviation will embrace the good faith hacking community the fastest and with relative ease and it will likely influence other areas of aviation. So everyone knows the majority of commercial aircraft are connected to the internet. His wi-fi is viewed as critical for today's passenger. There are also several other changes that are that are bringing the comforts of the living room into the cabin in today's passenger. So if we take a look at the in-flight entertainment system it's a really good example. It's becoming much more complex in several ways. There's an increasing selection of movies and other entertainment content that has not been released to the public. This requires protection and ongoing security testing. There's a large influx of third-party applications and games and these are games that are not from the apple app store or google play and have been validated by apple and google. These require ongoing security testing as well. E-commerce and shopping options are constantly expanding along with more convenient ways to pay for your goods and services. And this includes the introduction of technologies like near field communication. The amount of personal information is increasing with airlines providing a much more personalized service with more convenient payment systems. And this also includes the introduction of advertising that is targeted to specific passengers with their demographic information. In order to support all of this the number of interfaces that on the aircraft that are accessible by the passenger from their seat is increasing. This includes things like USB, Bluetooth, touch screen, near field communication and Wi-Fi. Now consider this is only part of the overall equation. All of these solutions I just described to support e-commerce, entertainment and personalization are supported by constantly expanding ground infrastructure. In this ground infrastructure it has similar cybersecurity risks. It's exposed to the same regulatory requirements like PCI and GDPR. But there's a big difference. These environments look and feel much more like a traditional IT environment. So one positive aspect of this is that IT-oriented DevOps teams have already started to embrace practices like crowdsourced pen testing. So in the case of aviation and aerospace this will be a force that will drive the overall industry towards engaging the good faith hacking community. So before I finish there's one last thing I'd like to mention about how we are seeing COVID the COVID pandemic impact this paradigm shift. Third-party pen testers who were previously required to be on premise to pen test certain products and solutions cannot travel and be on site to do this. Yet the pen testing still must be conducted. So we are seeing companies quickly adapting, changing their policies and methods to do remote pen testing whenever possible. Obviously this is going to be a challenge when it comes to systems and products with physical interfaces. But we still see a rapid evolution coming in this area. So COVID is actually knocking down some of the previous barriers when it comes to embracing the good faith hacking community. To summarize these changes have increased the number of assets that need protection while also increasing the number of threat vectors. At the same time we see the aviation community's attitude and view on embracing the good faith hacker is changing. This means now is the time to do this. It's time to embrace the good faith hacking community and look at changing the traditional approach to cyber security. Now I'll hand it over to Natalie to talk about how we can do this in collaboration with the good faith hacking community. Thank you Lorent. You're right. We need to see more on how to integrate those hacking activities in our engineering and operations. So I will use the NIST framework which is what we are following to explain our constraints about that. So when we discuss with Lorent on when in this cycle it will be easiest to integrate good faith hackers. During the identify and protect phase it's more where we do risk assessments, not it's a theoretical part, not that easy. But definitely during the design phase it's important and more naturally into the in-service phase. So those two phases during design phase and in-service phase seems natural to me. Today it's obviously during in-service and that we have already interactions with hackers. I will tell a little story about a CV that has been published on the Thales cabin product and we all know that there is room for improvements in this area to render this interaction more fruitful and this dialogue more fruitful between industry and hackers. We will discuss that afterwards. Now I would like definitely to focus on during design phase. Why? Simply because for us it's where it is the easiest to patch and to remediate. And this is also the good place where we can confront the theory of the attack path that we imagine with the real practice with hackers and have the good coverage about it. And the most we spend time on cyber robustness, the most we are saving also money to be honest in the operational phase and in the in-service phase. So now when we think about how we can manage this during design phase, it's not easy. Today I have no example of our Airborne system being virtualized and put in a cloud and accessible through a web portal for you to do pen tests. As explained by Lawrence, we are performing our own pen tests directly in our labs. So you need to imagine fully representative labs. For example, cabin you have an instance of the economy class, first class, business class and it's big holes running on BIOS and they are running 24 hours a day and 356 days a year. So you can imagine how it's not easy to organize a pen test sequence in such labs which are used to improve our product and ensure customer new functionalities. So to be clear, there is also due to the fact we are on special technology. If you want to get good face hackers working with us, for example, through a bug bounty program, then there is an investment to be done on hackers sites because you need to enter into specific technology dedicated for aviation. For example, we don't have Ethernet, we have AFDX which is RM664. This is an Ethernet oriented for safety and there are lots of examples of that on protocols and operating systems and this is driven by safety related requirements. So when we discussed about a bug bounty company on how to organize better interactions with good face hackers, they mentioned to us they have already this kind of program for ICT suppliers or for example, automotive system providers. But with the change in paradigm, as mentioned by Lawrence, I think that we are now moving to virtualized simulation benches and labs or connected simulation benches of labs and this helps. This is a kind of cyber dream and I think it's promising. For ground system and ground infrastructure, we just need to follow what is a good practice in other sectors, since they are more IT related and we can easily move to classical bug bounty programs. So to summarize on how we can work together during the design phase, I think there are two tracks we can work on. The first one is dedicated bug bounty programs where you come to our big holes and labs and the second would be more to develop and it is more on our shoulder cyber twins which are helping for doing those pendants and perhaps being more agile doing it more often and with a better coverage and not one or two persons during some days of it. So okay, I hope it's clear. Now we'll go for the second phase which is the in-service phase to explore what we can do. So here this is another story and you see the title we call that managing continuous security. It's not for you, it's for our customer, for them to understand that security is a long road where you need to update regularly due to the fact that new attacks are coming and in the in-service phase the NIST framework is beginning by the detect. This detection comes to us either through our customer services which is seeing an incident reported by a customer or this might be an event found on internet so you know we have a threat intelligence team and services like that that help us in grabbing kind of videos that may be published by hackers but also more in standard way silly that could be published on our products. So to explain what are the issues today I will give you an example I think it's the best. It was a story that happened to us I think last year and in fact it was a CV published with a high score of eight which is high 360 and the CVSS is between the one of 10 and so it was on in-flight entertainment systems. So first of all I would like to recall that in-flight entertainment system are non-critical system if we consider safety so this rating is a bit high and when our incident response team our P-SERT MVC gate about that they learned that in fact it was vulnerability exploited on a sub-party chat application and in fact the impact was just you at your seat hacking the chat application crashing and not propagating to any other seats just stand alone on the seat so it was a bit surprising to us that Mitre even Mitre has ranked this vulnerability at the level of eight but finally we get in touch with the hacker we had a discussion and we say that this CVS score was far too high and so when you see such a situation and we generalize it's often the case like that what is the drawback what are the drawbacks in such a way of managing vulnerability disclosure so today there is no direct notification to our incident response team product incident response team so as a consequence they might be very long time more than two weeks before we get in touch really with the good-faced hacker and understand and also as this is illustrated here our sector is not a real really and understand today you have seen the high rating by Mitre so we need to to have this kind of education and hopefully there are major airlines and so they are kind enough since they are doing their own risk assessment to tune the level of patching but if it wouldn't have been the case in this in this story we had imagine you need to know the exact configuration product configuration which aircraft replays the exploits on the exploit story on our big labs find the source code develop the patch then again test in the big labs and it's not finished you need to go to a real aircraft to obtain what is called a field supplier acceptance test which is provided by the airline for them to deploy the patch by ensuring it has no secondary effects on the system and believe me the best we did for this type of operation was something like three weeks and even today there are some patches that we delivered something like more than one year that are not yet deployed by by some airlines because it's a long process to deploy on all fleets a patch and knowing that some aircraft are under maintenance and things like that so what i would like to have in the future in a in a better disclosure program would be the following first establishing direct exchange with the good face hacker i think it's really important for us to understand and for the hacker to understand also better then establishing clear remediation time and steps before going to publication because depending on on what is what has been found and what it is impacting you understand that we don't have the same constraints then in IT world so we need more time in some cases so now if it's better that's where you would say okay if i have a vulnerability to this closer what are what are my possibility today and how can i interact with us with with you so this is why we have set up first for the whole ecosystem sharing information capacities when i say the whole ecosystem i mean airport airlines aircraft manufacturers suppliers um we have very few maintenance very tall but it's it's becoming it has been set up some the first one uh more than four years ago so now um what are the one you can use i would advise aviation isaac aviation isaac it's an information it's an aviation information sharing community and they are providing sports they have incident response capacity to facilitate the interactions between the hacker community and the industry also so it's a it's a good point for for you if you need now a second one particularly in europe is exa it's european center for cyber security in aviation so they don't have an incident response capacity but last year for defcon for aerospace delayed they were okay so they set up a portal for you to enter the different subject you would like to discuss and not telling the details but as i don't know i have something to say about uh an airport for something to say about system airborne system and and then they are putting you through um the good stakeholders that are referenced at exa which is uh which is important also so i hope it helps and uh it will be easier for you now so to recap on tell us side we are definitely considering that with the changing paradigm we need to set up plans to embed good phase hackers in our design and operation phase and to do this with a win-win situation for both sides to tell you to be honest without this covid crisis we have scheduled with with lorenz to come to defcon what was scheduled is to bring to you a mini lab representative of an in-flight entertainment system one of our latest generation so that you can have a end zone exercise on it and also you can learn and try so now we have done this webinar this webinar is there to explain what we do what are our constraints and challenges and uh you have heard yannick telling how the aircraft is uh is and this the part of the whole ecosystem and there is no domain aircraft consider but all the rest of the ecosystems lorenz has explained how is the changing paradigm or the paradigm is changing particularly uh post covid with the need of our pen tests to to be done in a distant way and i've turned my views on how we are seeing the integration of good phase hackers in our design and how to improve the vulnerability disclosure for for for you for us and for our industry so i'm sure that good phase hacker can be part of the chain of trust in aviation and we need to keep in mind that we are talking about safety critical system so now i will tell you that if we want to get in touch with us um we have a dedicated address you can you can see it on the screen so it's absurd i mean it's product security and seasons response so it's really dedicated to to what we are delivering i hope it helps again so thank you for your attention and now i let you the floor for the questions