Commentary: How Airports Can Protect Themselves From Cyber Threats

Airports, airlines and government regulators must remain attentive to addressing a concern that can easily be pushed to the back seat: cybersecurity threats.

A report from the Cyberspace Solarium Commission 2.0 Project highlights the heightened cybersecurity risks facing the aviation sector and argues the industry must address vulnerabilities stemming from aging technology and outdated software, amid growing risks from sophisticated bad actors. Paired with the industry’s increasing reliance on interconnected technology systems, commercial airlines, airports and federal agencies are under pressure to address their growing exposure to online threats.

It has never been more critical for airports to harden technology systems and bolster their cybersecurity resilience.

There have been several high-profile cyber incidents targeting airports around the world, most recently affecting Kuala Lumpur International Airport. This ransomware cyberattack, which disrupted airport operations, was not an isolated incident. EASA reports an average of 1,000 cyberattacks per month on aviation systems worldwide. These attacks stem from low-skilled individuals and sophisticated nation-state actors, posing unique threats to airport systems and data, and they can be costly. Every hour of disruption during peak times at a large airport can cost $1 million.

Potential vulnerabilities exist throughout an airport’s technical operations. Airports utilize operational technologies for baggage handling systems, passenger flow sensors, biometric immigration controls, security scanning and much more. As personal information is collected and processed through apps and services, the data becomes a desirable target for cybercriminals. The integration of operational technologies with broader information technology systems expands the threat landscape, and the potential attack surface for criminals grows even larger from centralized technology architectures that connect various systems through middleware platforms. Potential risks are further magnified when data is shared through initiatives like the FAA’s System Wide Information Management (SWIM).

Major airports with greater operational complexity and integrated systems are attractive targets and are most exposed to attacks. When air traffic control relies on digital remote tower connections, the data links can be disrupted by cyberattacks.

To address these growing threats, it is important for airports to adopt a comprehensive, enterprise-wide approach to cybersecurity. These are among the practical steps they can take:

• Conduct holistic risk assessments: Prioritize comprehensive risk assessments encompassing all information, operational and enterprise technologies to identify critical assets and prioritize security efforts.
• Secure by design: Integrate cybersecurity into the design stage of airport systems and infrastructure to develop robust security architectures.
• Adopt a life-cycle approach: Design, build, operate and decommission systems with security in mind to ensure resilience to emerging threats.
• Establish strong leadership and governance: Implement a governance framework based on international standards and fit-for-purpose cybersecurity organization. Create a single point of accountability for cybersecurity at the leadership level.
• Align cyber, physical and personnel security: Incorporate cybersecurity aspects into the overall airport security plan and ensure all stakeholders are aware of their responsibilities.
• Develop incident response capabilities: Establish security monitoring; obtain threat intelligence through rapid sharing of cyber threat information with airlines, airports and government authorities; and develop incident response plans and rapid response capabilities.
• Foster a strong cybersecurity culture: Implement awareness and training programs to raise the cybersecurity maturity of all stakeholders. It only takes one employee’s failure to recognize a phishing attack or the use of a weak password to create the vulnerability that can trigger an entire system’s failure. Without robust training, humans are destined to be the weakest link in the cybersecurity chain.

Airports need to innovate and strategize the deployment of security controls. Many are turning to AI to enhance the guest experience and improve operations, but AI introduces its own security risks. Ethical use and protection of sensitive data, especially personal information, are essential. Because AI has also made the nature of these attacks more sophisticated by generating hyper-realistic phishing content, airports must deploy additional security controls within the operational technology environment. This includes deploying specialized monitoring tools, data diodes that ensure the secure transfer of information between networks, and security gateways to protect critical systems like security screening equipment.

By understanding the evolving threat landscape and implementing comprehensive security measures, airports can enhance their resilience and ensure the safety and security of their operations and passengers.

Justin Lowe and Ben Kaintoch are digital trust & cybersecurity experts at PA Consulting. Carlos Ozores is an aviation expert at PA Consulting.