5 minutes with... Belaid Oukaci

What is your background?

I started my career in cybersecurity at the National Health Agency in France (Agence du Numérique en Santé - ANS). At first, I worked as a security mission officer, a very reactive role focused on supporting clients in integrating cybersecurity into their systems. While in this role, I had the opportunity to work on the first French sectoral Computer Emergency Response Team (CERT). Focused on the health sector, this new CERT aimed to support university hospitals in responding to cyber security incidents, particularly ransomware attacks.

After a while, I moved toward a more proactive role within the ANS, such as conducting penetration tests and vulnerability scans. More specifically, I worked as a project leader for the development of a vulnerability scanner specially designed for university hospitals. This platform, launched in 2021, allows university hospitals to access the scanner via the CERT and receive free vulnerability reports to support them in proactively addressing security risks.

How did this experience influence your transition to Thales, and what are your current responsibilities?

While working with the ANS, I noticed increasing safety impacts from cybersecurity incidents. This sparked my interest in roles where safety is paramount rather than financial or reputational stakes.

That is the challenge that drew me to the Air Traffic Management (ATM) world: working on cybersecurity in a field where human lives are at stake, and safety constraints significantly influence how cybersecurity is managed.

Initially, I joined the Product Service Incident Response Team (PSIRT) in Rungis, France. More specifically, I contributed to developing Thales’ Vulnerability Management Services (VMS). This solution analyses our systems and those we sell to our customers to detect potential vulnerabilities and offer recommendations to address them.

Now, I work very closely with one of our Asian clients to integrate cybersecurity into their (very advanced) ATM system. My role involves embedding cybersecurity requirements into system design and overseeing their implementation during integration. We work very closely with the client.

What challenges does the ATM world face in terms of safety and cybersecurity?

One main challenge when considering cybersecurity in the ATM domain is the transition between legacy and new ATM systems, which have very different implications for cybersecurity. The transition itself has implications.

Some legacy systems can be as old as 30 years. Inevitably, this means that the equipment manufacturer no longer produces or maintains some of their components. As a result, some of these systems may be particularly vulnerable to cyber-attacks. In such cases, what do you do when a customer is not yet ready to transition to a new system?

New systems have the advantage of being cyber-secure by design. While this undoubtedly provides a certain level of safety, it is essential to remember that these systems are extensively interconnected, not only among themselves but also with external elements that might be more vulnerable to cyber-attacks. We must be vigilant about this interconnectedness because it exposes more surfaces to potential cyber attackers.

Managing these two aspects of cybersecurity in ATM systems that may combine legacy and new solutions requires extensive knowledge of the systems themselves and the broader AMS context.
One of the main challenges when working on cybersecurity in the Asia Pacific region is the regulatory landscape. In contrast with Europe, where common regulations like the NIS Directive promote a unified approach, the Asia Pacific regulatory framework is far more fragmented: some actors already have strong frameworks while others are still working on them. As a result, every case requires a tailored approach, with each ANSPs presenting unique needs and challenges.

In what ways can Thales provide the greatest value to ANSPs?

Thales can most effectively support ANSPs in addressing their needs by combining its cybersecurity expertise with its extensive knowledge of the ATM domain. Our strength lies in leveraging expertise from various business lines and global business units (GBUs), allowing us to offer comprehensive cybersecurity solutions tailored to ATM-specific challenges.

Allow me to give you an example. The Common Vulnerability Scoring System (CVSS) is the most common method used to assess the severity of a detected vulnerability. This metric provides a numerical score ranging from 0 to 10, 10 indicating the most severe vulnerability. This system, however, does not account for context.

What does this mean? When assessing the severity of a legacy system (remember, these were not built with cybersecurity in mind), it is not uncommon to get a very high severity score on a similarly high number of components. This could be quite alarming! But when analysing this information in the broader ATM context, many of the high-scoring components are not, in fact, particularly vulnerable. Conversely, context may reveal that specific components not initially identified as highly vulnerable with the CVSS could potentially be highly vulnerable given the customer’s context.

With Thales, cybersecurity is all about putting skills into context.

What do you like about working with Thales?

Working as a cybersecurity expert for Thales is never dull! Not only does the company offer the possibility of changing areas or countries, but it also requires cybersecurity experts to work across a wide variety of concepts. From networks and safety to product management, to name a few, Thales cybersecurity experts must retain their unique ability to offer cybersecurity within a given context and according to sets of requirements specific to each customer every time.

Cybersecurity in ATM, in particular, is very appealing because it is about ensuring safety within a context not originally designed with cybersecurity in mind. This translates into being able to develop strategies to protect highly complex systems that, on the one hand, are interconnected with external sources and, on the other hand, are subject to very stringent regulations. It is a new, exciting challenge every day.