Supply chain attacks have emerged as one of the primary challenges for cybersecurity teams, with attackers recognizing that software providers and other third-party services can provide an accessible gateway to high-value targets.
This is a particularly significant issue in the aviation sector, which relies on a complex ecosystem of third-party services and external IT tools to operate efficiently.
The compromise of a key provider has the potential to cause huge disruption to air travel, with severe knock-on effects to the global economy.
London Gatwick Airport’s Head of Cyber Security, Megan Poortman, spoke to Infosecurity about supply chain cybersecurity challenges in a critical international airport environment.
Poortman also talked about learnings from dealing with the impact of the CrowdStrike IT outage in July 2024 and the evolving cybersecurity compliance landscape.
Infosecurity Magazine: What are the unique cybersecurity supply chain challenges facing the aviation industry today?
Megan Poortman: I think across all verticals we’re seeing the same challenges with managing large supply chain estates, whether it’s down to resources, technologies or toolsets. This is not just about cyber but across all areas of the business.
At Gatwick Airport we have multiple suppliers and it’s about understanding the risk assessment for each of them. Firstly, this involves meeting suppliers and talking to them about cybersecurity. It’s not number one on all suppliers’ agendas, but it’s about starting to bake that into being something the business is responsible for.
In the past with health and safety, we realized we needed to do supplier reviews and have contract conversations. Cybersecurity now needs to be on that agenda.
When we start to look at some of the key supply chain challenges, being part of critical national infrastructure (CNI) means we are a key target for cyber-attacks.
It’s not just the operators of essential services, it’s our supply chain as well that’s the target.
IM: What is Gatwick airport’s approach to managing supply chain security, working with the many organizations that operate on the site?
MP: My approach since working at Gatwick has been to focus on our strategic partners. I call them partners and not suppliers because these are companies that help us with our strategic goals.
If there are any glitches in our suppliers, it causes queues of passengers out of the door, leading to passengers missing holidays etc. We want partnerships with those suppliers who want to help us achieve our end-to-end objectives.
Our approach has been focusing on those top tier partners and looking at how do we broker the conversation about their strategic vision in cybersecurity. Is cyber on their product improvement roadmap? Is cyber something they consider? Do they know how to report a breach?
Its breaking it down and moving away from massive spreadsheets of questions and streamlining what we really care about and working with the supply chain to impact that.
We also lean into guidance from agencies like the UK National Cyber Security Centre (NCSC) which we can refer our suppliers to.
This especially important for small suppliers, who don’t necessarily have IT and cyber departments. For example, there’s a lot of great guidance from the NCSC on how to protect against ransomware and how to secure email, such as using multifactor authentication (MFA).
IM: In July, it was reported that Gatwick airport was impacted by the CrowdStrike global IT outage. Were you able to take any learnings from this incident in terms of incident response and cyber resiliency at the airport?
MP: The CrowdStrike incident showed the reliance on global IT providers and the potential impact when something goes wrong with those systems. The key learning is to continue to test our crisis resilience plans and use tabletop exercises. It was an event that the impact and scale of was not predicted. The likelihood of such an event would have been considered low.
"The CrowdStrike incident showed the reliance on global IT providers and the potential impact when something goes wrong with those systems"
A key takeaway was how quickly a fix was shared across the community. The technical fix was shared without competitive barriers, without people holding information to themselves. The cyber community came together and the biggest takeaway is the importance of that shared intelligence.
This showed the strength of our vertical networking in the aviation industry, from airlines to airports. Here is the fix that has come out, test it and share with your technical teams. That’s a powerful message.
IM: How has the compliance landscape evolved in the aviation industry in recent years? How have governance, risk management and compliance (GRC) strategies adapted to this change?
MP: I’ve been in aviation for nearly a decade now and I’ve seen a notable change in the regulatory landscape in that time. I previously headed up risk and compliance at another airport and it’s about understanding the key levers and drivers that are regulating change. The key driver is the importance of security across CNI and our governments recognize that.
In 2018, the Network and Information Systems (NIS) regulation came into force and that’s been a notable change. CNI organizations have always taken safety and security very seriously, but by bringing that regulation in 2018, it changed the landscape by getting regulators and competent authorities interested in organizations’ cyber maturity.
These changes give the regulators the ability to apply measures to strengthen overall security with us as well. It’s not just cyber, it’s also physical security.
If you look at the regulators and changes on one side and think what the cyber team were doing before, I don’t think it’s changed strategies dramatically. The regulations are mapped to really good frameworks so it’s more reaffirming what we need to be doing and how we’re being held to account.
You should be understanding what your leading cybersecurity framework is, what’s best for your organization, and complementing your strategy with the regulation rather than doing it because the regulation says you must do it.
IM: What are your biggest concerns in cybersecurity today?
MP: One of the things that concerns me is cyber attackers’ use of AI in their campaigns.
As an airport we see different challenges daily. Tactics are changing all the time and cyber professionals have to react.
Another big challenge retaining talent within the cyber industry. There are lots of worrying statistics about how many people are leaving their cyber careers because of stress and burnout, and we need to work out how we can make cyber less scary and more sustainable as a long-term career journey.
We need more career journey mapping to help people to find their niche and show them it is a great career with longevity. Cybersecurity leaders need to help them achieve that.
Retention will continue to be a challenge until we make cybersecurity an attractive career path for a diverse range of individuals. Diversity of thought will only make your cyber function stronger.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
MP: The biggest success is working with strategic partners in cybersecurity to understand the kind of mundane tasks we can automate to get that initial triage out of the way. We have tools that can help us be efficient and smarter with our time.
It’s important to continue to challenge why we are doing certain things in a manual way, and review if we can do things better.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
MP: Cyber has a massive talent shortage. My advice to CISOs is to use your voice and status to reach out to your local schools, colleges and universities to advertise cyber as a career.
Cybersecurity is no longer a dark art, we can use our voices to promote it, and encourage people from a young age that it can be a really great career path.
Another element of this is encouraging diversity across the board. Young people often perceive cyber as a very tech focused career path. Now, with the cyber mapping of careers, you can see how there’s so many other avenues for creative paths.
It’s about inspiring young women as well as young men. We need to have that diversity of talent to get creative people and minds who are going to try and understand the attackers’ mindset.
It’s also about educating the generation of parents who are going to bring up the next generation of children that cyber is a good career.
It’s being an advocate for cyber, emphasizing it’s not just about being behind a screen coding and pen testing. That’s my challenge for CISOs.
Yao Ming Low / Shutterstock.com