Establishing appropriate mechanisms to safeguard airport infrastructure systems from cyber threats

Technological advancements and digitization have brought many advantages to the airport infrastructure sector while creating challenges in managing cyber vulnerabilities in this complex environment. Critical systems, such as air traffic control and baggage handling, are at risk of cyber threats and attacks, potentially leading to flight delays, cancellations, and compromised passenger safety. Moreover, the proliferation of IoT devices and outdated legacy systems amplifies security vulnerabilities. Insider threats, human error, and inadequate employee training further pose significant risks. As airports digitize and expand operations, addressing these challenges becomes paramount for ensuring secure and efficient travel.

Given that airports constitute critical national infrastructure, cyber breaches can result in far-reaching consequences beyond financial loss and reputational harm. Hackers have launched distributed denial-of-service (DDoS) attacks, such as the October 2022 cyber-attacks that temporarily took down several U.S. airport websites. In April this year, similar attack techniques were used against the Indian aviation sector. 

Some of the other attack techniques used against the airport infrastructure sector include ransomware, internal security threats, social engineering mechanisms, and attacks on payment systems. Cybercriminals have been known to launch ransomware attacks, where they encrypt and seize control of digital assets, including files and computer systems, demanding ransom from the victim in exchange for restoring access. In January 2020, hackers infiltrated the networks of third-party contractors working with Albany Airport. Subsequently, they infected the airport’s management servers with malware, forcing the airport to pay a ransom to regain normal operations.

Airport infrastructure has also been vulnerable to internal security threats. For instance, at Heathrow Airport, an employee posed a security risk by failing to store data in secure formats and losing a USB stick containing sensitive information. The USB stick was later discovered by a member of the public. 

Additionally, both airport employees and customers are at risk of falling victim to phishing emails, which often contain infected links. In July 2020, the FBI warned about fraudulent domains that mimic the websites of American airports. These domains are used by fraudsters to deceive unsuspecting customers and vendors by posing as airport authorities or affiliated entities to carry out fraudulent activities.

As airport infrastructure becomes increasingly attractive to hackers, implementing network segmentation can enhance the resilience of airport networks by minimizing the impact of potential breaches. Additionally, operators should consider utilizing Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems, as they play a crucial role in detecting threats early on and enabling proactive defense measures. 

It is also essential to prioritize comprehensive employee training and awareness programs to strengthen the human element against social engineering attacks. Furthermore, investigating the need for a robust incident response plan is vital to ensure swift and effective mitigation in the event of a cyber incident, thereby establishing a resilient airport cybersecurity framework.

Insights on Airport Cybersecurity and Role of Network Segmentation

Industrial Cyber reached out to aviation sector experts to investigate the unique characteristics of the airports sector in comparison to other critical infrastructure sectors. They analyzed how network segmentation can bolster the security of critical airport infrastructure, such as air traffic control systems and passenger data. Additionally, they explored the fundamental principles and recommended strategies for successfully implementing network segmentation at airports.

Airports are unique in the diversity of their management and governance structure, Jeffrey Troy, president and CEO at the Aviation ISAC, told Industrial Cyber. “Depending on where you are in the world, an airport may be privately owned, a non-profit with a board, a quasi-government agency, owned by a country’s federal government, or owned by one or many municipalities, which is common in the United States.”

“There is a wide range of diversity in the maturity of the cyber programs at airports,” Troy assessed. “Cybersecurity maturity correlates directly with the level of risk owners of the digital systems consciously, or unconsciously, decide to accept. This risk acceptance includes both systems owned and operated by the airport or its vendors, or some combination thereof.”

For example, airports may control all the networks at the airport but most often parcel out some of the IT and OT functions, Troy pointed out. “Sometimes infrastructure is leased to tenants, sometimes the tenants bring their own infrastructure and manage it as well. Unlike other critical infrastructures, an airport can have a wide variety of IT, OT, and ICS systems.” 

He also identified that an airport can have its enterprise systems (email, database, ERP, etc.), retail systems for its tenants, building and facility control, government systems, and OT systems for things like fuel farms, smart ramps, or runway lighting. “Each system is supporting a function whose ability to be accomplished must be analyzed for the risk of a cyber attack. If the system is not owned by the airport, the airport must understand the risk in the vendor’s system.”

Troy said that network segmentation is critical, particularly when many different functions are performed by systems in a connected network. “A breach of one application may put at risk all other applications operating on the same network. At an airport, some systems impact the safety of the passengers and crew. For example, segmentation of the point-of-sale systems, which have a high rate of abuse, from things like flight information systems or runway controls is critical for safety and operational integrity of the airport.”

He highlighted a few key principles and practices when implementing effective network segmentation, including understanding the contents of the network is crucial for successful segmentation. It can be challenging, particularly with the presence of ICS and OT systems in airports. He also called for consideration of frameworks like the National Institute of Standards and Technology (NIST) or CIS controls to help implement cyber security controls including network segmentation properly; paying special attention to any life safety-oriented systems and limiting access and connectivity to these systems; and anything high risk for compromises, like retail tenants, or public kiosks and/or terminal side internet access should also receive special attention when segmenting.

On top of being similar to critical infrastructure in some aspects, airports, and aviation, in general, are constantly relying on multiple engagement points – different communication channels and needed processes that are yet to be defined around cybersecurity, Aviel Tenenbaum, CEO of Cyviation, told Industrial Cyber. “The aircraft – a critical component to secure – has ‘people – passengers,’ is air-borne and is not used to deal with cybersecurity. Cyber events would many times be classified as ‘technical glitch’ simply because no one even train pilots on cyber events. You simply have all the risks of critical infrastructure OT and much more.”

Tenenbaum added that there is a huge catch-up to be made to build resilience in this industry – and actually, the airports -that serve commercial flights are slightly better prepared. “They also report more incidents of cyber.”

Impact of IDS and SIEM systems on airport threat detection 

The executives evaluate the role of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems in detecting and responding to threats at airports. They also examine the common challenges airports encounter when integrating and managing these systems in their complex network environments.

Troy identified that IDS and event management systems allow IT personnel at airports to have a customized view into a subset of threats to their computing environment. “This allows them to respond to logged security events quickly. If the security tools are configured correctly, network defenders can respond and mitigate an event before a significant disruption occurs.”

“The sheer number and variety of systems that need to be added to an IDS or event management system is one of the main challenges. These monitoring systems require rulesets and detections,” according to Troy. “Due to the diversity of systems, sometimes these rules have to be written by hand. Monitoring an email system is much different than monitoring potential intrusions into a building control system and requires vastly different integrations. The second challenge is how to monitor in a situation wherein a tenant leases infrastructure, as this brings in more integration challenges as well as contractual issues about who monitors and responds to events.”

Without commenting specifically on airports, Tenenbaum said that “a good IDS and SIEM – allow to detect a possible attack and mitigate it based on a pre-planned process defined under the SIEM. This way the negative aspect of an attack may not be eliminated – but definitely shortened and minimized.”

Employee training crucial for strengthening airport cybersecurity 

The experts also examine the importance of employee training and awareness in preventing cyber incidents at airports, as well as the potential consequences of insufficient training. They also explore the strategies that airports are using to educate their staff about cybersecurity risks and best practices.

Troy said that employee training and awareness are key to preventing incidents. “Every computer user should be considered a part of the cyber security strategy at any airport. Users may notice anomalies, spot phishing, or even receive phone calls that signal that someone is trying to compromise the airport network. Every security program should make it easy for all users to report suspicious behavior.”

For an airport, cyber security awareness is even more critical when connected life safety systems are involved, he added.

“Airports use a variety of methods to educate staff. Most are very similar to how other organizations train their employees. Tabletop exercises are one good way, this allows the airport personnel to go through their response procedures and include the multiple stakeholders at an airport,” Troy detailed. “Airports also use conventional methods like informational emails and posts, reminders, and updates about security-oriented procedures. Some will use phishing tests for their internal staff.” 

One challenge he identified depending on how the airport is set up would be making sure that tenants are doing the same education and awareness, especially if there are network and infrastructure tie-ins. “Sometimes airports will include tenants in training sessions or sometimes it will be outlined in the airport tenant contracts,” Troy added.

In general, training is a major part of mitigation, Tenenbaum said. “If you know how to recognize an attack and/or what to do when it is identified – usually you can greatly limit the risk. Training and specific awareness are part of a full mitigation cycle. Specifically in Aviation and people who ‘touch and operate’ an aircraft – the training should be around specific events that can happen in an aircraft and not general cyber training – which is important but less relevant,” he added.

Building Resilience Through Incident Response Plans for Airport Cybersecurity

The executives examine the components that should be incorporated into a thorough incident response plan specifically designed for airport infrastructure cybersecurity. They also assess how airports guarantee that their response plans are consistently updated and tested to maintain effectiveness against evolving threats.

Troy said that multiple elements should be included in an airport’s infrastructure response plan. “All of the different IT systems need to be accounted for and continuously monitored. This includes IT, OT, and ICS. Since airports are high-profile attack points for many groups, hybrid physical-cyber events should also be considered in an incident response plan. Airport vendors and tenants should also be included in an incident response plan, even if infrastructure is segmented out. If an Airline has a cyber event, the resulting operational issues will likely have a cascading impact on the airport.”

He also pointed out that communications are important in any cybersecurity event. “The airport should be part of an information sharing group like the Aviation ISAC to assist in getting intelligence information to assist with incident response as well as to help other aviation stakeholders prevent or detect similar attacks. It is highly likely the airport is mandated to report the attack to a regulated government entity. This should be done in compliance with all required timelines and content. Model incident response plans are available from numerous private sector and government entities.”

“An airport should exercise its incident response plan yearly. This should be done either internally or via a vendor that specializes in running IR exercises,” Troy assessed. “The written plans are also reviewed and changed on a regular basis as stakeholders or infrastructure changes. In addition, remediation plans should be reviewed and actual remediation tasks should be performed to ensure staff are skilled in bringing systems back online or bringing secondary systems online.”

Tenenbaum listed “point of contact and ownership of the event management. Pre-defined process – who to engage, who to inform – with all related parties from authorities, airlines, airport, manufacturers (if relevant), etc., and hand-shake with aircraft bound to land or about to take off.”