Airports Council International Europe has released penetration testing guidelines for operational technology (OT) and industrial control systems (ICS) within airports. They are intended to provide a comprehensive framework for conducting cybersecurity assessments of OT and ICS equipment.
Developed by the ACI Europe Cyber Security Committee, the guidance outlines the risks and requirements for safely and effectively testing systems, including baggage handling, lighting, fuel management and access control technologies. The document emphasizes the need for careful planning, stakeholder coordination and a deep understanding of airport OT/ICS landscapes to avoid disruptions during testing.
The guidance addresses various testing approaches, from vulnerability scanning to red teaming, and underscores the limitations of traditional IT methodologies in OT contexts. Key components include a risk-based testing schedule, methodologies adapted to legacy and proprietary systems, and a strong focus on compliance with European and international cybersecurity standards.
The guidance promotes white-box and hybrid testing, discourages the use of fully automated tools in sensitive environments and recommends rigorous cleanup and reporting protocols.
“By following this guidance, airport operators can improve the security maturity of their OT/ICS systems, ensure compliance, and strengthen resilience against cyber threats – while minimizing operational disruption and maintaining trust across stakeholders,” ACI Europe said.
The framework is scalable and modular, enabling phased implementation based on an organization’s risk tolerance and resource availability.
SITA’s annual IT insights report showed a focus on cybersecurity. Read more about it here