By Javier Caldes-Casas, Airport Security Expert, Munich Airport International GmbH
As new technology emerges with the use of the Internet of Things (IoT) and others for automation, connectivity and information sharing, the cyber-threat adapts. From self-check-in kiosks and automated bag drop systems to access control to secure areas, ‘smart’ gates or simply available Wi-Fi for the general public, the automatisation of airport systems offers numerous advantages both for airport operators and the travelling public. However, it also comes with new vulnerabilities. The European Aviation Safety Agency (EASA) estimates that an average of 1,000 attacks occur per month on aviation systems, thus becoming a real threat to airport safety, security and reputation.
With airports considered critical infrastructure, national security can also be compromised by cyber-attacks. As Dr Maaßen, the President of Germany’s BfV (Federal Office of the Protection of the Constitution), recently stated: “The national security in Germany is increasingly defined by the national cybersecurity situation.”
Cybersecurity risks evolve fast and the very nature of cyber-attacks, characterised by their low cost, makes them very affordable to terrorist and criminal organisations.
Understanding the threat
The US National Institute of Standards and Technology (NIST) categorises the cyber-threats to airports into political or military, commercial espionage, disruption, and cybercrime. For instance, as airports are symbolic, a cyber-attack could disrupt and critically damage public trust; organised crime networks and foreign governments may target sensitive documents such as airport planning, construction, budget and government documents; attackers may target networked systems to deny user access, corrupt data, or inflict damage; or other targets may include credit card information from parking services and baggage fees.
As a result, airport operators may face attempts to access physical security systems or access controls; disruptions on air bridge functions, air conditioning, heating, electrical systems, electronic signage, baggage systems, parking services, Wi-Fi networks or Distributed Denial of Service (DDoS) to make the airport’s online services unavailable. In addition, the implementation of networked screening equipment, such as Explosive Trace Detection (ETD) units and body scanners, very useful to the airport operator for statistics and process improvements, can also become targets for hacking attempts (imagine, for instance, hacked ETD equipment providing only ‘negative’ results to prevent a terrorist wearing a non-metallic explosive device being detected at the screening point). In essence, as the President of Germany’s Federal Office for Information Security (BSI), Mr Arne Scönbohm puts it: “Cyber-attacks have an immediate impact on the real world.”
At a governmental level, different agencies are taking proactive steps to promote awareness. The EU Agency for Network and Information Security (ENISA), for example, through Cyber Europe exercises conducts annual simulations of large-scale cybersecurity incidents. In the intelligence community, Germany’s BSI participates in pan-European cyber defence exercises; the UK Government has just published the Aviation Cyber Security Strategy; Munich Airport opened the Information Security Hub (ISH) and other agencies have developed awareness campaigns with cooperation programmes with the private sector – which nowadays own, lease or operate critical infrastructure – to provide threat intelligence and advice.
Being proactive, key to resilience
Even though cybersecurity is a relatively new risk, it is important to understand that airports’ CEOs and Directors will still be held accountable should a major cybersecurity breach occur, just as they would for a physical security incident. Ideally, cyber resilience would be built into the future innovations from their conception, but being proactive is key to avoid ‘nasty surprises’.
As an airport operator, a cybersecurity programme would involve having a clear understanding of your airport, and identifying your particular critical assets, risks and vulnerabilities by conducting a Cybersecurity Risk Assessment.
Taking a proactive approach means that any airport operator ensures that cybersecurity is part of their security plan, describing how cybersecurity is managed within the airport and outlining the security controls in place. In addition, it should be included in incident response and business continuity plans. As the UK Government Communications Headquarters (GCHQ) says: “Put cybersecurity on the agenda before it becomes the agenda.”