Article
Card image cap for article

Similarities between Cybersecurity and Aviation

Learning

7/27/2024

Why Cybersecurity?

I have always been interested in technology, in particular software, and how it can improve our lives. But I also realized that technology comes with risks and challenges, especially when it involves sensitive data and critical systems.

That's why five years ago, I decided to start reading about and studying in cybersecurity, with a focus on medical device cybersecurity and corporate information security.

The Human Factor of Cybersecurity

Cybersecurity is not only a technical challenge, but also a human one. Humans are often the weakest link in the security chain, as they can make mistakes, fall for scams, or interpret malicious activity as credible. Therefore, it is essential to understand the psychological aspects of cybersecurity and how to mitigate the human risks.

One of the books that influenced my thinking on this topic was "Thinking, Fast and Slow" by the late Daniel Kahneman, a Nobel laureate in economics and a pioneer in behavioral economics and cognitive psychology.

Kahneman explains how humans have two modes of thinking: System 1 and System 2. System 1 is fast, intuitive, and emotional, while System 2 is slow, rational, and logical. System 1 is useful for many everyday situations, but it can also lead to biases, errors, and illusions. System 2 is more reliable for complex and critical decisions, but it requires more effort and attention.

In the context of cybersecurity, System 1 can make us vulnerable to social engineering attacks, such as phishing emails, fake websites, or phone calls. These attacks exploit our emotions, such as fear, greed, curiosity, or exaggerated sense of responsibility, and trick us into clicking on malicious links, opening attachments, or disclosing sensitive information. System 2 can help us detect and prevent these attacks, but it requires us to be vigilant and aware of the potential signs of deception, such as spelling errors, mismatched domains, or urgent requests.

Therefore, one of the key skills that I learned and practiced was to apply structured thinking to cybersecurity situations. Structured thinking is a method of breaking down a problem into smaller and simpler parts, and then analyzing each part systematically and logically. This can help us avoid jumping to conclusions, making assumptions, or relying on intuition.

For example, when I receive an email from an unknown sender, I use structured thinking to examine the sender's address, the subject line, the content, the attachments, and the links. I also compare the email with previous ones that I received from the same sender or organization, and look for any inconsistencies or anomalies. By doing this, I can reduce the chances of falling for a phishing email.

Good cybersecurity habits and behaviors include strong passwords, updating our software, backing up our data, or using encryption. These habits can seem tedious or inconvenient, but they can make a big difference in protecting our devices and data from cyberattacks. We can understand the rationale and the benefits of these habits, and overcome the psychological barriers that prevent us from adopting them. For example, when I create a password, I use a random character sequence generator to define a long combination (20 and more characters) of letters, numbers, and symbols, and to store it in a secure password manager.

Advice for good passwords for daily use suggests 12 characters of length with some level of complexity. A more recent recommendation is to sacrifice complexity for length: very long passphrases (over 20 characters is more secure because a longer password is harder to decrypt if stolen). Multi-factor authentication is an additional way to avoid malicious attacks. MFA should be configured for any critical services where your money or reputation is at stake.

By combining structured thinking with common sense, I believe that we can become more resilient and responsible in the digital world. We can act as human firewalls against cybersecurity threats, and protect ourselves and our organizations from cyberattacks. We can also contribute to a more secure and trustworthy cyberspace, where we can enjoy the benefits of technology without compromising our privacy or others, and security.

Medical Device Cybersecurity

One of the sources that inspired me was the book "Medical Device Cybersecurity" by Axel Wirth, Christopher Gates and Jason Smith. It opened my eyes to the complex and evolving threats that face the healthcare industry and the patients who rely on medical devices. I will continue to learn about the constantly evolving regulatory frameworks, the best practices and the emerging technologies that can help protect these devices from cyberattacks.

Another source that I followed was the LinkedIn feed of cybersecurity experts, who share their insights and experiences on various topics and trends. I learned a lot from their posts and comments.

Corporate Information Security

Finally, I decided to get myself certified by ISC2, a leading organization for cybersecurity education and certification. I wanted to validate my knowledge and skills, and also demonstrate my commitment and credibility to my employer and its clients. Just recently, I gained the Systems Security Certified Practitioner (SSCP) certification, which covers the core technical aspects of corporate cybersecurity. My goal is to aim for the renowned Certified Information Systems Security Professional (CISSP) certification in 3-4 years.

How It Relates to Aviation

Some of you may wonder what cybersecurity has to do with aviation, which has been another passion of mine. I started piloting gliders at the age of 16, but later also flew single-engine planes around busy airports at the West Coast of the United States as an adult. I enjoy the thrill and the freedom of flying, but I also respect the rules and the responsibilities that come with it.

The similarity to cybersecurity lies in the rigorous pre-flight checks and monitoring during flights as an essential proactive measure for safety. Just like in cybersecurity, you have to be prepared for any scenario, anticipate any problems and react carefully and effectively to any situation. You also have to keep learning and updating your skills and knowledge, as both fields are constantly changing and evolving.

In my article about piloting an aircraft and not falling for biases, I mentioned the importance of avoiding overconfidence. Just because I might know more than others does not mean that I won’t make mistakes. When the ego steps in, things can quickly go wrong. Many books illustrate how even experts have failed spectacularly due to self-blindness.

There are great sources of inspiration on youtube where especially the Mentour Pilot channel sticks out for its in-depth analyses about aircraft accidents. The experienced Swedish airline captain uses his professional and technical expertise with phenomena from psychology that adversely affect the judgment capabilities of - even very experienced - pilots in charge of an aircraft, crew and passengers.

When Something Feels Wrong, It Usually Is

What applies to both flying and cybersecurity is the notion of “when something feels wrong it usually is wrong”. If one of many otherwise coherent characteristics seems out of place, then it is time to pause and reconsider the situation. In aviation it means "keep flying the plane" and re-analyze the situation. In cybersecurity, it means adding more clues to the picture, and validating the correctness of any request that seems out of place.

Go back