Cybersecurity has become a main area of focus in the aviation industry as airports and airlines realize they are not immune to the latest cyber threats and attacks. A breach in an airport system could expose passenger’s personal data, impact security checks, affect back office systems, take over arrival and departure notifications, and more. The ensuing impact to an airport could ground its entire operation, result in lost revenues and tarnish its reputation. And while the risks are many, there has yet to be a comprehensive security requirement or approach embraced by the airport community.
The aviation industry has been identified as one of the 18 critical sectors by the U.S. Homeland Security Presidential Directive 7 (HSPD-7), requiring advanced cybersecurity solutions to combat the evolving cyber landscape and the increasing sophistication of cyber threats. Airports are a key part of this ecosystem and require cybersecurity standards.
“There is a wide disparity in the level of cybersecurity preparedness in airports today,” said Jim Knaeble, Global Products Management at Rockwell Collins. “It can vary from an airport where cybersecurity is almost non-existent to one that has a well thought out plan in place. Additionally, depending on the size of the airport, it may or may not have the IT staff in place to monitor, analyze and respond to suspicious network security behaviors.”
As airports become more connected and reliant upon technologies such as the cloud, integrated systems, and the Internet of Things (IoT) for increased efficiencies, it also opens the door to old and new vulnerabilities including security breaches, malware, spear phishing, social engineering tactics, identity theft, and more.
Late last year, it was reported that a hacker gained access to Australia’s Perth Airport systems and stole building plans and security information. In October 2017, the Ukraine’s Odessa Kiev airport reported IT system attacks. And a few months earlier, loudspeakers and screens for Vietnam Airlines were hijacked in two Vietnam airports, allowing the hackers to post offensive political messages.
“The Vietnam breach was the most notable involving an airport. While it wasn’t particularly technical, it demonstrates that systems don’t have the proper security and enforcement policies in place,” says Knaeble. “And that can lead other hackers to think about – and target – other airport systems.”
Cybersecurity for airports isn’t as easy as installing the latest firewall or malware detection software, Knaeble stressed. “There’s no ‘one size fits all’ for airport cybersecurity,” he notes. “Each airport environment is unique. Conducting a proactive risk assessment can identify vulnerabilities so a holistic cybersecurity program can be established.”
Once a plan is developed and security solutions are in place, ongoing internal education of security policies and enforcement is a critical component to a comprehensive cybersecurity plan, along with enforcement of security best practices within the airports vendor and partner ecosystem.
“Often we find the biggest vulnerability within each airport tends to be internal. Employees may connect devices or click on a link to a site infected with malware, which can open the door to a breach.”
While most of the breaches to-date haven’t impacted personal data or had a major financial impact, it may not be long before there is a more significant consequence, which is why airports are taking notice of cyber threats and are expected to more aggressively fund cybersecurity initiatives in 2018.
In fact, a 2016 Global Critical Infrastructure Cybersecurity Market Assessment by Frost and Sullivan reported that the cybersecurity market segment was valued at $1.61 billion in 2015. They also estimated that the compounded annual growth rate will be 10.0 percent between 2015 and 2024. “This growth reflects the importance airports are placing on protecting their assets from cyber attacks,” notes Knaeble.
While new and emerging technologies will play a part in overall airport security, according to Knaeble, “The number one area that airports should be looking to invest in is creating a holistic cybersecurity program. This will ensure that all of their systems are being handled the same way, regardless of vendor.”
To this end, industry groups like ACI World and others are launching initiatives focused on preventing cyber attacks. For example, the ACI World Airport IT Standing Committee (WAITSC) has created a cybersecurity task force whose mandate is to engage and educate airports worldwide on the issues of cybersecurity. And in mid-April, members of ACI, IATA, and A4A will be meeting to discuss cybersecurity, PCI, and payments.
“Airport cybersecurity will continue to be an industry priority for the foreseeable future,” notes Knaeble. “Moving forward, we’ll need to work together so that airports of all sizes can prioritize budgets, benchmark cybersecurity maturity against others, and educate airport stakeholders in the importance of a comprehensive cybersecurity program.”