Editor’s Note: This article series was originally penned by Dominic Nessi, AeroTech Partners Founder and Senior Technology Advisor for Burns Engineering. In the first part of the series, Nessi shared a list of “top-down” steps for decision makers to consider when it comes to their airport cybersecurity strategy. In this second portion, Nessi explains the corresponding “bottom-up” steps. By folding in this approach, airport decision makers can both save money and boost employee engagement with ongoing cybersecurity efforts.

After implementing the top-down steps, it’s important to look at what steps can be taken from the bottom up for a holistic, effective action plan for airport cybersecurity. What can be implemented on a daily basis to keep these crucial best practices moving forward?

Bottom-up
The ‘bottom-up’ approach focuses on the lower echelons of the organization and the day-to-day functions and best technology practices that every organization should carry-out.  However, even though they are ‘bottom-up’, these activities still need to have visibility with airport management.

    1. Cybersecurity Awareness Training – Every employee in the organization needs annual cybersecurity training that stresses the importance of basic cybersecurity safeguards and reminds personnel of the dangers associated with social engineering – a common threat vector of the bad guys.
    2. IT Employee Training – While the above step recommends basic cybersecurity awareness training for the entire organization, this step stresses the need for training of the IT department itself. Every technology employee must understand how to practice cybersecurity in the execution of their normal daily duties.
    3. Empower Cybersecurity Team – If your organization is large enough to have a dedicated cybersecurity team, don’t waste them. Instead, empower them and give them the freedom to be objective in evaluating every aspect of your airport’s cybersecurity practices – even outside the IT department.
    4. Lock Down Exercise – Set aside one day every year where the IT department’s time is dedicated to reviewing all of their internal practices, policies, procedures and activities to ensure that they meet the standards of the cybersecurity framework that the organization has adopted. Each IT employee should provide a report of their findings, activities, and promised actions to address any deficiencies that were found.
    5. Asset Inventory – This is easy in concept, but often proves to be a challenge in reality. Have an asset inventory of all of your hardware, software and firmware. You cannot possibly ensure that you have addressed every potential vulnerability unless you know everything that makes up your IT environment.
    6. Formal Patch Program – With the inventory in hand, you must beware of any published vulnerabilities as soon as they occur and implement patches, practices, or, in the case of zero-day threats, take you systems off-line until they can be operated safely. A successful patch program requires proper testing, timing the patch at a time when the operating environment can best accept the change into the environment, and, finally, test the result of the applied patch to be sure it doesn’t have any unintended consequences.
    7. Review Data Sets – You have already created a data governance policy. Now check that they are being followed. Review all databases and systems against the data governance policy to ensure that all data is being handled in accordance with the policy.
    8. Change Management – You must have a system that records every change made in your IT environment. The simplest changes can have the most disastrous impacts if not properly conceived or executed. The only way to correct unexpected errors is to have a complete record of everything that has been changed to determine the root cause of the issue.
    9. Secure Physical Space and Systems – The availability of your data systems is based on them being maintained in secure, environmentally safe settings with redundant power and protection against any natural or man-made threat. In this final step, cybersecurity and physical security are blended to ensure your IT environment is always available when it is needed.

So, you now have nine ‘top-down’ and nine ‘bottom-up’ practices that are the foundation of your airport cybersecurity program. Once implemented, you will have a far better idea of how cyber-secure your environment is and where to make future investments.

Dominic Nessi

About Dominic Nessi

Mr. Nessi serves as the founder of AeroTech Partners and as a Senior Technology Advisor to the Burns Engineering (BE) aviation consulting practice. AeroTech Partners is an aviation industry technology consulting firm focusing on critical airport technology issues, including cyber and physical security, passenger customer experience, common use processing, airport technology infrastructure, airport business systems and telecommunications. Mr. Nessi also works with a number of other ATI organizations, including ACI World, and Barich, Inc. He is the Chairperson of the ACI World Cybersecurity Taskforce.