THE ANNUAL SUMMIT is the premier face-to-face networking and educational engagement that demonstrates the value and positive impact of collaborating across the global aviation community.
Attending the Summit? Please review our safety tips while in Barcelona.
Monday, 28 October
Please note: Unless otherwise indicated, Monday activities are for A-ISAC members only
8:30 AM - 5:00 PM
9:00 AM - 5:00 PM
Network Security Architecture Working Group
8:00 AM - 12:00 PM
AIA-ASD Joint Cyber Subcommittee Working Meeting (invited participants)
1:00 pm - 5:00 PM
ICCAIA and IATA Aviation Cybersecurity Collaboration Strategy Meeting (invited participants)
Tuesday, 29 October
Please note: Unless otherwise indicated, Tuesday activities are for A-ISAC members only
9:00 AM - 5:00 PM
Product Security Working Group
9:00 AM - 12:00 PM
Aviation ISAC Board of Directors Meeting (board members only)
1:00 PM - 5:00 PM
CISO Roundtable (open to CISOs from non-member companies)
1:00 PM - 5:00 PM
Compliance Working Group
2:00 PM: SUMMIT REGISTRATION OPENS
5:30 PM - 7:00 PM
Summit Kick-off Happy Hour, (open to all registered Summit attendees)
sponsored by Armis
To sign up for a sponsor dine-around, please use this link.
WEDNESDAY, 30 OCTOBER
8:00 AM - 8:50 AM
9:00 AM - 5:00 PM
Student Cyber Challenge
9:00 AM - 9:15 AM
Official Summit Welcome, John Craig, A-ISAC Board Chair
9:15 AM - 10:00 AM KEYNOTE: Corporate Exposure in a Hyperconnected World—Managing the Risk
KEYNOTE: MELISSA HATHAWAY
Melissa is a leading expert in cyberspace policy and cybersecurity and consults governments, global organizations, and Fortune 500 companies on cybersecurity, enterprise risk management, and technology assessments. She is globally recognized as a thought leader and has spent the last decade developing relationships with the highest levels of governments and international institutions, advising UN, NATO, the ITU, the OAS, and other key institutions and governments. She teaches at universities around the world and has distinguished affiliations with Harvard Kennedy School’s Belfer Center for Science and Technology, the Center for Asymmetric Threats Studies—National Defense College, Sweden, the Digital Science Institute—European School of Management and Technology, Germany, and the CyberLaw Research Program at Hebrew University in Israel. She also leads research initiatives at the Centre for International Governance Innovation in Canada, the Kosciuszko Institute in Poland, and the Potomac Institute for Policy Studies in the United States.
Targeted attacks are increasing and our defensive posture remains weak. Ms. Hathaway will discuss the impacts of information communication technology dependence and the entanglement of economic growth and national security risks that are presented by the Internet. Through a series of case studies, she will illuminate the tensions and challenge attendees to consider how to drive economic efficiencies and bottom-line results while ensuring continuity of business operations and critical service (delivery) resilience.
10:00 AM - 10:45 AM
The Answer to Cyber Threats is Leadership
Paul Dwyer, International Cyber Threat Task Force
Effective leadership is the key to dealing with cyber threats and a cyber strategy aligned with the business strategy is a board imperative. When flying from A to B, pilots rely on key metrics to adjust their course and deal with the dynamics of the route. It’s no different for aviation industry leaders, who must understand the factors of cyber risk in order to embrace the opportunities that innovation brings to the sector. Paul Dwyer, founder of the International Cyber Threat Task Force, will outline the key metrics required and effective approaches organisations can take in order to meet these challenges.
10:45 AM - 11:30 AM EXHIBITOR NETWORKING AND REFRESHMENT BREAK
11:30 AM - 12:15 PM
The Black Box of Business Email Compromise: Dispatches from the Fight Against BEC Scammers
John Wilson, CTO, Agari
Using responsible Active Defense techniques, Agari routinely uncovers multinational BEC gangs and proactively informs victims. In this session, we will take you behind the scenes of several high-profile scams to learn how ACID (Agari Cyber Intelligence Division) identifies victims, unmasks threat groups, exposes the tactics used to ensnare companies across the globe, and ultimately mitigates the damage caused by these criminals.
12:15 PM - 1:15 PM LUNCH, sponsored by Shape Security
1:15 PM - 2:00 PM
Every Second Counts: Prioritizing Speed and Security in the Cloud Era
Shawn Henry, President, Crowdstrike
In business and in government alike, speed and responsiveness can dictate success or failure. It’s equally true in the fast-evolving field of cybersecurity, where stealthy breaches can develop in a matter of hours, inflicting devastating consequences. Join Shawn Henry, former FBI Executive Assistant Director and current President and Chief Security Officer of CrowdStrike as he discusses how the cloud- and AI-based approach is being widely adopted by public and private sector entities, and though they often operate in different environments and at different scales, their defensive cyber practices can and should incorporate the same strategies: hunting continuously, utilizing cloud-enabled technologies, safeguarding the supply chain, and prioritizing speed with the “1-10-60 Rule.” Shawn will give insights on evolving threats and case studies in the aviation arena and new best practices for protecting sensitive information from global criminal groups and nation-states. You’ll leave this session having learned the security strategies that are enabling organizations across all industries and all geographic boundaries to gain the upper hand against cyber adversaries.
2:00 PM - 2:50 PM EXHIBITOR NETWORKING AND REFRESHMENT BREAK
3:00 PM - 3:50 PM BREAKOUTS
EATM-CERT Services Supporting European Aviation
Patrick Mana and Bilgehan Turan, EATM-CERT
EUROCONTROL's EATM-CERT (European Air Traffic Management Computer Emergency Response Team) provides its services not only within the Agency but to the aviation stakeholders of its Member States. The first part of this presentation will focus on lessons learned and findings for services such as automated means to share cyber information (e.g. MISP), managing cyber threat intelligence, detecting leaks of credentials or sensitive documents, and fighting scams impersonating EUROCONTROL staff and sent to airlines, airports, ANSPs. The second part of the presentation will address the lessons learned from conducting penetration tests on ATM systems (ANSPs, airports) with a focus on the current threats on air-gapped systems and prevention methods.
Why Posting Images of Boarding Passes on Social Media is a Bad Idea
Francis Long, Technological University Dublin
Passengers who post images of their boarding passes onto social media may not be aware that the images often reveal their boarding pass barcode. These barcodes can be deciphered to reveal passenger names, flight details, booking references and in some cases the passenger frequent flyer number. Dr. Long will share his research analysis findings of more than 100,000 boarding pass Instagram posts to highlight how data is inadvertently shared and the risks this exposure creates for loyalty accounts and programs.
One Year Into GDPR: What Has Changed in the Cyber Security Landscape
Cyrille Aubergier, SITAONAIR
We’re one year into GDPR implementation: how has the adoption impacted supplier assessments, incident review processes, inventory reviews, data exchange and connections, and more? SITAONAIR will link the implications of GDPR on these issues to traditional security frameworks such as ISO27 and NIST.
4:00 PM - 4:50 PM BREAKOUTS
ICAO Trust Framework
Saulo Da Silva, International Civil Aviation Organization; Daniel Diessner, Boeing; Patrick Mana, EUROCONTROL; Tomi Salmenpää, Traficom (CAA Finland); Eric Vautier, Aéroports de Paris
When considering the evolution of the air navigation system toward a digitally connected environment for better exchange of information, it is necessary to put in place a trusted network to reduce the cyber threat surface and guarantee the resilience of the aviation system. In this context, a trust framework is being developed by ICAO in partnership with aviation and non-aviation stakeholders that will provide for the needs of a constantly evolving
aviation ecosystem. The panel will discuss the issues and needs associated to a trust framework in an aviation digitally connected environment.
Security and Privacy in Wireless Aircraft Communication
Dr. Martin Strohmeier, Swiss Cyber-Defence Campus
Working with — instead of against — academics and other independent security researchers is important for both detecting and fixing vulnerabilities. This session will examine responsible disclosure processes and the benefits of and more open information sharing within aviation, potentially taking inspiration from the software industry. Dr. Strohmeier will also present preliminary research results in how to incorporate the impact of cybersecurity
risks into the training of aviation professionals such as pilots and air traffic controllers.
Leveraging ATT&CK to Enable Drive Control Improvements
Matthew Harless, United Technologies Corporation
Security organizations often struggle to clearly understand and communicate security gaps and prioritize efforts to improve cyber controls. The ATT&CK framework can provide your team a common language and structure that allows you to clarify communications and prioritize your work. During this session we’ll share how we’re leveraging the ATT&CK framework. As an example, we’ll show how we used reporting from an external intrusion to map attackers' actions to ATT&CK and assessed our controls against the techniques they employed. We then assessed our risk and developed a strategy to close and test the gaps in our security controls.
5:00 PM - 5:30 PM AVIATION ISAC MEMBERSHIP MEETING (members only)
6:00 PM - 9:30 PM FIVE-YEAR ANNIVERSARY DINNER RECEPTION
Sponsored by ReliaQuest
Transportation to and from Esferic will be provided. Meet in the hotel lobby
at 6:00 pm to board the buses.
10:00 PM - 11:00 PM LATE-NIGHT ROOFTOP HOSPITALITY SUITE
Sponsored by Valimail
THURSDAY, 31 OCTOBER
8:00 AM - 8:50 AM BREAKFAST
8:00 AM - 8:50 PM WOMEN'S NETWORKING BREAKFAST
sponsored by GE Aviation
9:00 AM - 9:50 AM
Risk is Risk: Improving Resiliency Integration No Matter the Threat
Mahmood Khan, United Airlines; Olivia Stella, American Airlines; Matthew Vaughan, IATA, Larry Grossman, FAA
Risk is risk. Whether we are discussing physical security, safety management, or digital security, modern risk management and resilience approaches must be integrated in principal. This panel discusses the trends of aviation to help identify what needs to be protected in the future; the general threat landscape; and how to promote morally-guided vulnerability research and disclosure.
9:45 AM - 10:30 AM EXHIBITOR NETWORKING AND REFRESHMENT BREAK
10:30 AM - 11:00 AM
Landing the Right Security Metrics with your Board: A Fireside Chat
Dave Merkel, Expel; Michael Scobee, Delta Air Lines
Your team’s been busy defending your organization from crafty attackers, but how do you prove that the work you’re doing adds business value? In this session, you’ll hear from Michael Scobee, Cyber Security Director at Delta Air Lines, about how he showcases the outcomes of investigations, shares potential risks to the business, and translates how incident and investigation trends matter to the bottom line. Get tips on how to determine
what matters most to the board, and how to package and present your own org’s metrics that mirror those priorities. The chat will be moderated by Dave Merkel, CEO of Expel.
11:00 AM - 11:50 AM
Managing the New Hyper-Connected Reality: The Convergence of Physical-Cyber Systems
N. Luke Thomas, Rolls-Royce
Autonomous vehicles, the electrification of everything, the internet of things, and artificial intelligence, regardless which is your favourite buzzword du jour, all have the potential of driving increased capability across the aviation industry while simultaneously creating new attack vectors for aviation systems. In this talk, N. Luke Thomas of Rolls-Royce will discuss how physical security and cybersecurity are converging enabling attackers to leverage physical attacks against traditionally cyber systems, or cyber-attacks against traditionally physical systems. This new ‘hyper-connected’ reality requires a new proactive and collaborative
approach to system-of-systems development and operation. Inspiration from existing paradigms in both physical security and cybersecurity will be used to discuss how the aviation industry can develop safe and secure systems that can co-exist in both the physical and cyber ‘worlds’ simultaneously.
12:00 PM - 1:00 PM LUNCH AND FIVE-YEAR ANNIVERSARY RECOGNITION
1:00 PM - 1:45 PM
AIA-ASD Civil Aviation Cybersecurity Recommendations
Nathalie Feyt, Thales and ASD; Patrick Morrissey, United Technologies Corporation; Siobvan Nyikos, Boeing; Dr. Stefan Schwindt; GE Aviation
Join representatives from Aerospace Industries Association (AIA) and AeroSpace and Defence Industries Association of Europe (ASD) as they discuss their development of product security standards that benefit the entire aviation sector and how OEMs and suppliers are collaborating on industry recommendations that will benefit operators. The presenters will provide an overview of aviation cybersecurity industry recommendations and existing
activities, with a focus on key recommendations to improve product security. They will also discuss how AIA and ASD address current and future EASA and FAA cyber regulations and how they work to build trust in the industry.
1:45 PM - 3:00 PM EXHIBITOR NETWORKING AND REFRESHMENT BREAK
3:00 PM - 3:30 PM
There’s a Malicious Bot Seated in 10B
Shreyans Mehta, Cequence Security
At first glance, it appears that a high volume of legitimate customers have logged into your web site to check fares and upcoming flights. Good news, right? Maybe not. The airline industry has been plagued by bot attacks targeting their web, mobile, and API-based application assets. These attacks have many objectives, but they all have factors in common: they’re costly, disruptive, and extremely difficult to detect using traditional security tools. In this session, we’ll look at how these attacks work, how the attackers can hide in plain sight,
and innovative strategies for eliminating that bot seated in 10B.
3:30 PM - 4:00 PM
Understanding the Aviation Ecosystem: Tackling the Challenges of Visibility and Vulnerabilities in a Complex Global Environment
Nadir Izrael, CTO, Armis and Mahmood Khan, United Airlines
Cyber-attacks come from anywhere. In our industry we depend on a complex network of systems, devices, and sensors to keep operations moving, so traditional security methods focusing solely on data centers are just not enough in the world of aviation. Employees, customers and 3rd parties across the world, on the ground and in the air, connect devices and systems to our networks constantly. Understanding this risk starts with truly seeing everything.
4:00 PM - 4:50 PM
International Regulatory and R&D Initiatives
Alan Burke, U.S. Air Force; Siddharth Gejji, Federal Aviation Administration; Davide Martini, European Union Aviation Safety Agency; Mary McGinley, DHS/FAA; Eynav Haim Sayag, National Cyber Directorate Prime Minister’s Office; Randy Talley, DHS, and Larry Grossman, FAA
Listen as this panel of national-level cybersecurity policy and R&D experts discuss enhancing international cyber collaboration and how to further the goal of strengthening international partnerships. The panel will touch on the U.S. Aviation Cyber Initiative and its purpose of reducing aviation cybersecurity risks and improving cyber resilience across the aviation. The panel will also discuss other global/regional/national strategies and common touchpoints and compare and contrast global Research and Development programs, and help attendees understand the international community’s CONOPs, challenges, and international partnerships. The panel will also identify and discuss ways to identify common interagency and industry aviation cyber objectives, and provide examples of how to leverage interagency and industry resources and their applicability to the broader international aviation community.
5:00 PM - 6:00 PM CISO GATHERING
5:30 PM - 7:00 PM HAPPY HOUR
sponsored by Shape Security
To sign up for a sponsor dine-around, please use this link.
FRIDAY, 1 NOVEMBER
7:30 AM - 8:30 AM BREAKFAST
8:30 AM - 12:00 PM TABLETOP EXERCISE (closed to vendors)
Stress Testing Global Aviation Operations: An Interactive, Real-World Scenario Crisis Management Exercise
Facilitated by Crowdstrike, this year’s tabletop will put participants in the metaphorical hot seat of a simulated real-world, real-time major aviation cybersecurity incident.
Participants will engage with their private and public sector counterparts to work through incident response, identify strengths and weaknesses, and determine an improved path forward to help improve resiliency should a worst case event occur.
Attendees will see first-hand how industry responds and be able to leave the exercise with best practice improvements they can incorporate into their incident response plans.