Cybersecurity is no longer a matter for the IT department alone, explains Mike Bird, client director at Atkins. The risk it poses is growing, potentially affecting an ever-wider swathe of airport operations.
We are amid a technologically driven revolution. For airports and their passengers, this has the potential to bring substantial opportunities and benefits; the World Economic Forum (WEF) reported earlier in 2020 that artificial intelligence alone is expected to boost global economic growth by 14% by 2030.
These opportunities, however, also present themselves to airport industry’s C-suites as a catch 22. Investing in digital transformation implies both complexity and expense, and could therefore be seen as high risk. Conversely, failure to invest would see airports become more and more vulnerable in the face of ever expanding and increasingly dangerous cyberthreats, with potentially catastrophic effects. So, in the face of this conundrum, how can we better protect our airports from a cyberattack?
Operational technology (OT)
IT research and advisory firm Gartner refers to OT as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events.” In essence, OT is what keeps airports running. Due to the ongoing technological revolution, OT is increasingly becoming embedded in all facets of airport operations, be that baggage handling systems, security scanners, passport control, biometric scanners, CCTV, fuel pumps, air conditioning or control of entry devices, to name but a few. And thanks to OT’s growing interconnectivity, an attack to power supply, hardware or software could have substantially further-reaching effects than ever before.
The expanding threat
To an adversary, the increasing use of sophisticated technology substantially expands their attack options. The WEF’s Global Risks Report 2020 states that “Cybercrime as a Service is also a growing business model, as the increasing sophistication of tools on the dark net makes malicious services more affordable and easily accessible for anyone”. Noting that more than 50% of the world’s population is now online, and growing by approximately one million people each day, it adds that cybercrime is the “second most concerning risk for doing business globally over the next 10 years”.
Set within this context, attackers, at negligible risk to themselves, can undertake preliminary attacks from anywhere in the world. Without raising suspicion, they can conduct a detailed analysis of the targeted systems in preparation for executing primary attacks. These could result in physical damage to the airport, for example by shutting down air conditioning in the data hall, damaging the servers. This is not, however, solely confined to the virtual domain. Exploiting OT may also enable an attacker to bypass physical security measures and gain physical access within the airport for criminal or terrorist motives, such as planting an explosive device onto a fuel bowser.
Based on the balance of probabilities, we must recognize that at some point, all airports will be subject to a successful cyberattack. The frequency, severity and repercussions will be directly proportional to the effectiveness of the airport’s cyber and physical security measures.
A cyber-strategy is an operational strategy
As part of the UK’s Critical National Infrastructure, airports must adhere to the UK’s Network & Information System Regulations (NISR). To do so, the Civil Aviation Authority published CAP 1753 – a cybersecurity oversight process that promotes a collaborative approach to security. It highlights that, contrary to conventional thinking, cybersecurity is no longer a responsibility confined to IT. Now, airports must ensure they are resilient to a broader range of attacks, from those leading to power supply loss, hardware or software failure and physical damage, to attacks that resonate throughout the supply chain. Accordingly, cybersecurity must be treated like physical security and embedded into an airport’s infrastructure.
Planning for the long term
With all problems, the starting point is to recognize that they exist. Unfortunately, we still have a way to go; the WEF’s 2020 report stated that “using ‘security-by-design’ principles to integrate cybersecurity features into new products is still secondary to getting products quickly out into the market”. But as long as interconnectivity continues to grow and security is treated as a bolt-on, cyberthreats will continue to challenge airport operations.
However, it is not all about the technology. The European Information Security Summit recently identified that 88% of chief information security officers are suffering from high levels of stress, with an impact on both their professional and personal lives. Meanwhile, 97% of C-suite executives believe the cybersecurity teams should be ‘doing more with less’. Couple this with significant evidence that the majority of cyberbreaches are caused by employees (both inadvertently and maliciously), we must recognize that although an airport’s staff are a notable weakness in terms of cybersecurity, they have the potential to be its greatest strength.
So how do airports better protect themselves against cyberattacks, in the face of the predicted exponential rise in air passenger numbers and with digital innovations continuing to transform airport operations? They will need to adopt a holistic and people-centric risk-based approach to cybersecurity, led by the C-suite level, recognizing that effective employee training beyond the traditional IT team is fundamental to successful and long-term cyber-awareness.
Atkins is a British multinational engineering and consulting services firm.