Earlier this year, industry research revealed that 97 out of 100 of the world’s largest airports are riddled with serious cybersecurity vulnerabilities. The ImmuniWeb study detailed a catalog of errors: from outdated software and unpatched flaws, to unencrypted data flows and information leaks due to misconfiguration and negligence. Two-thirds of airports were found to have sensitive personal and internal data, plaintext passwords and more residing on the dark web, and just a quarter (24%) of their websites were GDPR compliant.
Now here comes the really bad news: this is just the tip of the iceberg. Airports aren’t just a growing target for data theft via their web applications and sites. They operate complex, distributed IT and OT networks that present an attractive target for a range of actors: not least, those who may be looking to disrupt and sabotage critical national infrastructure (CNI).
Until recently, airport security has largely focused on the physical threat from terrorists, but as digital systems continue to expand, so do cyber-risks. Tackling this new vector could be the biggest challenge that transport sector IT security teams face this decade.
Many Moving Parts
As a crucial component of the aviation sector, airports are a vital part of any country’s CNI. As such, they represent a major target, not just for cyber-criminals, but also nation states and even cyber-terrorists. The main challenge facing IT security teams in these environments is the sheer number of moving parts, according to Ruben Santamarta, principal security consultant at IOActive.
“Airports are really complex facilities, with multiple stakeholders; each of them with their own needs, which the airport has to fulfil. Interoperability is a key factor. There is a plethora of systems, deployments, equipment, industrial devices, off-the-shelf and proprietary equipment, protocols, IT and OT networks that are shared between different companies, operators, law enforcement, contractors, security and airline staff,” he tells Infosecurity.
“Everything needs to be working perfectly, as we are not only talking about disruptions that may cost hundreds of thousands of dollars, we also have to take into account there are lives at stake if something critical fails.”
These challenges associated with heterogeneous systems and multiple stakeholders are echoed by the World Economic Forum (WEF) in a January 2020 industry report Advancing Cyber Resilience in Aviation. It argues that the “interdependency between the various sectors of activity and interconnectivity with related systems” is such that “one incident at any point in this value chain can have severe consequences in other areas.”
The report explains that technological advances in IIoT and automation are creating tremendous opportunities for improving flight efficiency, the passenger experience and even safety and security. Operational efficiencies include the tracking and connecting of assets to spot shortages or system malfunctions in real-time, and the automation of cargo vehicles, food services and ramps. However, at the same time, this expanded digital infrastructure and the increased complexity it brings makes airports more exposed to cyber-threats. This, it says, could result in “economic loss, industrial disruption and, in some cases, human casualties.”
It should be some cause for concern that, according to a 2018 report from aviation IT firm SITA, over a fifth (21%) of airports claimed to have no plans to implement a security operations center (SOC). Even more respondents said the same of IoT security (35%), identity-as-a-service (37%) and cloud access security broker technology (42%). Less than a third (31%) said they had appointed a dedicated CISO.
“Airports are really complex facilities, with multiple stakeholders; each of them with their own needs, which the airport has to fulfil”
Humans to Blame
According to that same report, many of the most common cyber-threats facing organizations across multiple sectors are also major risks to airport security – especially ransomware (58%), phishing (52%) and advanced persistent threats (47%). The human factor looms large over all three. In fact, according to WEF, employee negligence accounted for 66% of breaches in the sector in 2019, versus 18% for external attackers.
Nowhere was this better highlighted than when Heathrow Airport was fined £120,000 by the UK privacy regulator after an employee lost a USB stick containing unencrypted data. This included personal data on security personnel and, perhaps more damaging in the wrong hands, routes and safeguards for government ministers and foreign dignitaries. It also contained information on the route the Queen takes when using the airport.
Aside from the human factor, the WEF report highlights weaknesses in IT and OT controls, ineffective governance, communications breakdown with boards, process failures and IIoT adoption risks. Although these are fairly generic, airport IT teams are arguably under greater pressure because of the critical infrastructure target their facilities represent to a range of threat actors.
“Global airports process a great wealth of sensitive and highly confidential information about passengers, cargo, their destinations and all related data, becoming an attractive target for threat actors,” ImmuniWeb founder, Ilia Kolochenko, tells Infosecurity. “Obviously, a multiplicity of less sophisticated cyber-criminals should not be disregarded, from Wi-Fi traffic interception on airport premises to cyber-gangs stealing payment data and PII from online registration, fast line and lounge booking websites.”
A Worst-Case Scenario
There are more serious threats still. IOActive’s Santamarta highlights the most sensitive systems of baggage handling, passenger check-in and boarding and air traffic management and navigation, as well as IT/OT networks and key ICS/SCADA systems.
“In terms of worst-case scenarios, essentially any attack having the ability to disrupt the Air Traffic Management system would be highly critical, as it may cost lives,” he adds. “Also, a successful attack that disrupts key assets, such as baggage handling systems, would have a huge financial impact on the affected stakeholders.”
In fact, cyber-attacks are already having a major financial impact on airports. Ransomware has caused chaos at multiple locations in recent years including Cleveland Hopkins and Hartsfield-Jackson Atlanta in the US and Bristol Airport in the UK. Drones are another encroaching threat requiring a coordinated physical and cybersecurity response. Unmanned aerial vehicles hovering over Gatwick Airport have caused chaos for passengers in 2017 and 2018. According to the UK Airprox Board, illegal drone intrusions into UK airport airspace soared by over 34% in 2018.
All of this comes in the context of an ever-tightening regulatory regime. The EU’s NIS Directive, which regulates providers of “essential services” (OES) in transportation, mandates strict GDPR-size penalties for non-compliance. According to Justin Lowe, digital trust and cybersecurity expert at global consultancy PA Consulting, airports designated as OES “should be conducting security assessments and defining security improvement plans.
“It is expected that more airports may well come under the regulation soon, so smaller airports should consider following a similar process,” he tells Infosecurity.
“Smaller airports will also soon come in scope of regulation, as International Civil Aviation Organization (ICAO) and European Aviation Safety Agency (EASA) guidance focuses on a wider and more holistic approach to cyber as pertains to aviation security and safety. The EASA 2019-07 amendments are due to come into effect in Q4 2021 and will seek to more sufficiently address security incidents that could potentially affect aviation safety.”
Reaching for the Stars
While it’s heartening that almost all the airports surveyed by SITA in 2018 plan to have an information security strategy in place by 2021, there is much more to do. According to Greg Pope, head of the joint venture between Context Information Security and Frazer-Nash Consultancy, CISOs in the sector need to be bolder.
“CISOs should be adopting a proactive approach to managing cybersecurity risks, structured by a recognized cybersecurity framework which considers people, processes and technology. In the UK, the Civil Aviation Authority (CAA) is driving this through its ASSURE program for cybersecurity oversight,” he explains.
“The vision for ASSURE is to have a proportionate and effective approach that will enable aviation organizations to manage their cybersecurity risks without compromising aviation safety, security or resilience. While no systems can be 100% secure, 100% of the time, the CAA’s approach should ensure aviation organizations keep pace with ever-changing cybersecurity trends.”
Others, such as PA Consulting’s Lowe, argue that security leaders in the sector must also conduct risk assessments to identify and address critical assets and systems throughout the supply chain, carry out security reviews using recognized frameworks like NIST or ISO 27001, and build a security awareness program for all staff. Security monitoring and well-rehearsed incident response and crisis management plans are also a must.
CISOs should pay particular attention to the growing OT risks, says Lowe.
“With the increased use of OT, systems that are owned and operated by engineering and operational departments are increasingly facing cyber-risks,” he argues. “A security management system is required to ensure these systems, which are often mission and safety critical, are appropriately protected from cyber-risks.”
Global airports may be unusually quiet throughout much of 2020 as the global COVID-19 pandemic limits travel, but when operations eventually ramp up again, as no doubt they will, cybersecurity leaders will need to be ready for anything that comes their way.