Airports connect the world now more than ever. Every airport nowadays functions much like a small city, providing connectivity for goods and services, driving tourism, and fueling local economies. For this reason, protecting our nation’s airports is even more important than ever before.
Understanding the Cyber Landscape
Airports possess deeply woven networks of people, processes, and technology; operational technology handles baggage, lighting, and facility management systems while information technology supports email, scheduling, ticketing, and data management.
The people who are trained on how to manage these technologies have certain processes and responsibilities that they have to follow across the airport. The moment any of these expected programs fail within the airport, the effects are immediate, widespread, and are felt well beyond the airport.
In the last 5 years, airports have been the target of several attacks ranging from distributed denial of service attacks meant to take specific systems offline to ransomware attacks in which attackers lock key systems and demand a pirate’s ransom for an unlock key. Because of these attacks, the Transportation Security Administration (TSA) was forced to establish cybersecurity requirements for airports in an effort to standardize security across the board.
The TSA Cybersecurity Requirements include the following actions:
Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
Create access control measures to secure and prevent unauthorized access to critical cyber systems;
Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
While these actions are a good starting point, they may not be enough for modern airports to truly ensure their security against modern threats.
Governance and Risk Management
Good cybersecurity hygiene starts with understanding the importance and the connection between people, process, and technology. In regard to people, airport leaders need to set the tone across the airport and ensure that clear responsibilities and expectations are implemented in all departments.
This means that everyone shares the responsibility of understanding and incorporating risk into their daily routines. Leadership should also conduct regular risk assessments in the airport and be sure that outcomes from those assessments are not just remediated but also communicated to various stakeholders and team members to keep everyone on the same page.
With people on the same page, it is important for good processes to be designed for the airport. Often times, airports rely on tribal knowledge as opposed to establishing repeatable processes. Documented processes can be followed in the event of an emergency, and they create opportunities for dialogue. Additionally, in the event of an incident, it is possible to review established plans and make decisions about effectiveness. Having good processes and procedures can save time in the event of an incident and ensure that everyone is following the correct steps.
Technology Management
Airports use a variety of technologies to keep their operations running smoothly, from flight information and baggage handling systems to access control and building management platforms. However, the same systems that improve efficiency can also create cybersecurity risks if they are not properly secured.
One of the most important steps in strengthening airport cybersecurity is to avoid using standard settings because default configurations and passwords are common entry points for attackers. Each technology solution should be adjusted to meet the airport’s specific operational needs and risk profile. In addition, all applications and system updates should be carefully tested before deployment to confirm that they work securely and reliably within the airport’s complex environment.
By building security into configuration management and system validation processes, airports can reduce vulnerabilities and maintain the resilience needed for safe and continuous operations.
Vendor Management
Airports use several vendors to facilitate their day-to-day operations. While using vendors can be unavoidable, it is important to realize that transferring the risk does not completely remove the risk from the airport.
Just last month, several European airports were hit when the check in systems provided by their vendor were riddled with ransomware. While this was not an attack against the airport directly, those check in systems caused several delays and forced airports to either switch to manual procedures or close airport terminals altogether. Airports need to scrutinize vendors and vendor systems. They can do this by:
Identifying what access the third party tool needs to function. Beware of tools that require global admin rights to properly operate
Request risk assessments and penetration test results conducted against the vendor. If the vendor has not conducted any sort of assessment in the last year, the airport should conduct its own risk assessment based on established frameworks such as the NIST Cybersecurity Framework (CSF) or ISO 27001:2022.
Review current vendors contractual obligations and service level agreements to ensure that the vendors are doing what they are supposed to do
Establish patch management processes tied to a change management process to ensure that all changes to critical systems go through a review and planned implementation.
Awareness and Training
User Awareness and training is not just about a compliance checkbox. It is important that training is relevant to the airport. Airports should conduct awareness training for all employees, vendors, operations team, and leadership that includes best practices, incident reporting guidelines, and common threat vectors. Including phishing assessments and educating all users on common social engineering tactics early and often will better prepare users to spot potential attacks.
Emerging Threat Vectors
As newer technologies emerge, airports should go beyond the standard best practices to secure themselves. Artificial Intelligence and the increased use of the cloud present two of the biggest opportunities for hackers today. Limiting the attack surface by applying strong controls, encrypting all data, and ensuring that users who work with data understand the risks are key in protecting the airport.
While not a new technology, Operational Technology has become a target in recent times. Just last year, a holiday cyberattack impacted baggage handling systems and flight information displays. Such an attack can cripple an airport for days, if not weeks. Having the right strategy and skill set to identify and protect OT systems is important to keep airports functioning smoothly.
As airports continue to evolve, cybersecurity must be treated as a key part of daily operations. Every system, from flight displays to fueling networks, plays an important role in keeping travelers safe and maintaining smooth operations. Protecting these systems requires leadership, staff, and vendors to work together and build security into every process and layer of technology. By staying proactive and fostering a culture of resilience, airports can better protect passengers, preserve public trust, and keep global travel moving safely and efficiently.
Kelechi Onyedebelu
Senior Lead Consultant
