Airports have a long history of dealing with ‘traditional’ threats – terrorism, physical attacks and security scares. But as the physical and digital worlds continue to converge, how do they manage the risk of a potential hack on the air-ground lighting or a terminal’s power facilities compared to a bomb threat or protesters?
The difficulties aviation organisations have is knowing where to start, what material is useful, how can it be applied, what do they need to do and what outcomes they should expect.
Having worked with a range of aviation and critical national infrastructure organisations, we have identified five key steps that will ensure any airport can become truly cyber resilient.
1. Measure yourself
Start with measuring the maturity of cyber security across your organisation, and treat everything agnostically.
There are several different models that can be used, including the Information Security Forum (ISF) Maturity Model and the US Department of Energy Cybersecurity Capability Maturity Model (C2M2).
What is great about these models is that they allow you to measure strengths as well as weaknesses. This is a much better approach than a traditional risk assessment as it allows a broader picture of security risk to emerge that can be aligned to the wider business.
2. Decide what is important
As airports are complex businesses, and budgets are finite, it is critical to get senior stakeholders to prioritise assets and invest in protecting them. A comparison of different business needs and technologies can then be used to drill down to the specific digital services that represent the airport’s ‘crown jewels’.
3. Identify the threat
The most common motivations for cyber-attacks include the theft of intellectual property, operational information or commercial data, or disruption, whether deliberate or unintentional.
These days, the attackers can include organised crime syndicates, bored teenagers and even airport noise protesters. However, as airports are also part of a nation’s critical national infrastructure, they are increasingly being targeted by sophisticated nation state attackers who are determined to disrupt a region or a country.
The UK Government has acknowledged that there are hostile ‘foreign actors’ developing techniques that threaten the country’s electrical grid and airports. The threat is therefore very real.
4. Create your defensive approach
Knowing more about the threat, understanding what you really want to protect, and measuring your cyber security strengths and weaknesses, means that you can focus security investment in the right place.
Do you need to invest more in protecting baggage systems or terminal power systems from attack? Do communication services to the control tower need better protection than the departures and arrivals information boards? These are the everyday choices that you need to make.
Once the appropriate security control sets are identified, they need to be pulled together into a Board-level approved strategic approach.
5. Implement the programme
Flowing out of a strategic approach will be a huge range of projects to address the business security needs. Our experience shows that these projects are best run as a single, integrated programme to drive through the changes across an airport, bringing together the whole supplier base and directing their activities to deliver the required outcomes.
Evolving your strategy
But you can’t just stop there. Regular reassessment of the airport’s cyber security maturity enables measurement of the implemented security improvements and their contribution to your overall cyber security.
Reporting these measured improvements to the Board demonstrates that progress is being made and that value is being obtained from their investment.
By following these five steps and continuing to evolve your cyber strategy, your organisation can become truly resilient.
And while you will still be subject to cyber-attacks, you will have confidence that your defences are responsive and elastic, stretching to contain any attack and dealing with it effectively.