Aviation Cybersecurity – Understanding the Airport Ecosystem
In 2017 airports worldwide welcomed 8.3 billion arriving and departing passengers and handled 118 million metric tonnes of cargo and 95,8 million aircraft movements.
Airports are live and complex ecosystems with new stakeholders added or removed on a regular basis.
All the elements that integrate this jigsaw play a key role in delivering a safe, secure and even personalized experience to both passengers and airport employees while at the same time enabling operational efficiency and revenue generation for the airport management, the airlines that deliver services to customers and the concessionaires that operate passenger services in terminal buildings.
Let’s take a look under the hood to understand how an airport is structured and what the key assets are that need to be secured, as well as the challenges we face.
Aviation Cybersecurity – Major stakeholders at the airport
There is a plethora of interconnected systems at the airport, each one including valuable assets that need to be properly secured and protected. To get an understanding of this complex ecosystem of assets, let’s focus on the different stakeholders or entities that can be found at the airport. Then, we will dig deeper to showcase critical assets under the control of each one of the airport stakeholders.
At a high level we might classify the airport stakeholders within the following categories:
-Passengers: they expect a convenient end-to-end journey with a personalized experience, including bespoke offers, based on location and customer profile. This is particularly important for the most profitable customers – the VIP passengers. Sophisticated technologies like behavioural analytics leveraging advanced segmentation, modelling and even machine learning, gamification, and geo-location are currently used or will soon be used.
Smart Mobile apps will be the interface to all airport systems. Passengers will use the mobile phone to check-in and navigate through all the touchpoints at the airport.
Widespread interactive surfaces and devices enable real-time information and feedback.
-Airlines: provide air transport services for travelling passengers and freight. Airlines utilise aircraft to supply these services and usually form partnerships or alliances with other airlines for codeshare agreements. These aircraft are also involved in a massive transformation which involves digitalization to eventually become connected aircraft or e-Aircraft. The reality is that everything the passengers can do on the ground with their tablets or smartphones, they want to be able to do in the air, too.
-Local and National Government: while their role might vary per country, very frequently the local government will be responsible for the strategic direction of the airport, while national government will have a double duty:
- As an operator focusing on air traffic control services, transportation systems, security (e.g. baggage handling and screening, customs and immigration).
- As a regulator covering airport infrastructure and service providers within airport systems.
-Industry / Third-Party Service Providers: private operators that offer services to airlines, passengers and other stakeholders of the airport. These third-party service providers are critical for the safety and security of the daily operation of the airport. Most of them currently rely on siloed systems and in some cases old legacy technology designed long before cybersecurity was even a concern.
Among these systems we might find:
- Air Traffic Management (ATM)
- Fuel Management
- Baggage Handling and Screening
- Cargo Processing Services
- Kiosk Devices, e.g. e-ticketing
- Way-finding Services
- Transport Systems
- IT and Communications Services
- Security Services
-Airport Suppliers: which have the airport as a customer and include consulting companies, contractors and equipment suppliers.
-Surface Transport Operators: provide surface access to the airport and include rail services, taxicabs, buses, private rental cars and the subway / underground. Parking services may be provided both on and off the airport premises.
-Airport Operators: the organization managing the airport. It might be a private company through a concession.
-Concessionaires: operate passenger services in terminal buildings and may include food and beverage services, retail and accommodation.
Aviation Cybersecurity – Key assets supporting the daily airport operation
Now we have introduced how an airport is structured in terms of the different stakeholders that underpin the airport’s operations and services delivered, let’s dig a little bit deeper to figure out which assets lay beneath and how critical they are:
- IT and Communications including internal and external infrastructure:
- Internal: Lan, VPN, IT equipment, Mobile network and apps, passenger WIFI, SOC, Flight Display Systems.
- GPS, cloud-based data, Network Security Management, WAN, Air to satellite communication systems, GIS, etc.
- Airline / Airside Operations: including among others – air traffic management, flight tracking systems, departure control systems, airfield lighting and runway control and monitoring, cargo processing, aircraft re-fuelling, etc.
- Landside Operations: including the landside operations systems control centre, fuel management, lighting detection systems, parking management systems, etc.
- Safety and Security: access control systems, authentication systems, baggage screening and handling systems, surveillance systems, passenger screening, perimeter intrusion detection, emergency response, firefighting, etc.
- Customer Ancillary Services: Cashpoint terminals, mobile payments, point of sales (PoS), duty free, catering, etc.
- Facilities and Maintenance: airport vehicle maintenance, building management and control systems, energy management systems, lifts and escalators, SCADA (utilities, roads, ancillary areas), environmental management systems, etc.
- Passenger Management Systems: kiosk devices, e-ticketing, electronic visual information display systems, passenger check-in and boarding, central reservation systems, etc.
- Staff Management: staff records management, authentication systems, mobility-enabled applications.
One important issue is that there are no common data standards to exchange information within this complex ecosystem of stakeholders, making integration quite challenging and more importantly adding complexity to securing the whole architecture.
Major challenges faced by airports and airlines
There is tremendous pressure to strengthen end-to-end security and to do so swiftly. The major challenges faced by airports and airlines are:
-Siloed legacy systems make it difficult to implement streamlined end-to-end security.
-Too much connectivity: physical assets, including scanners, access and departure control, and security cameras are now connected to an airport’s or airline’s systems, making it easier for a cybercriminal to get access to physical equipment. With the explosion of IoT devices new opportunities arise but also, and more importantly, new challenges appear, connected to the inherent lack of security within these devices.
-A quickly evolving threat landscape, with criminals using increasingly sophisticated tools which might challenge existing cybersecurity budgets, particularly at smaller airports. While those smaller airports will certainly comply with existing regulations, there is no doubt that their ability to implement the latest security technologies is going to be lower than at a major international airport. This will generate a disparity amongst airports in the methods and degree to which cybersecurity is addressed, some of them having a very mature cybersecurity posture while others will have limited capabilities.
-Multiple regulations coming from local, regional and global organizations make it difficult to keep up with compliance.
-A complex ecosystem of stakeholders, with massive data flows moving among the different parties, with the volume, velocity and variety of the data quickly increasing. Big Data solutions are becoming ever more necessary in order to properly manage both the unstructured and structured data that is being generated, processed and stored within this complex ecosystem.
Figure 1: Major challenges faced by airports and airlines
- The Airport of Things (AoT)
- Aviation Cybersecurity: High Level Analysis, Major Challenges and Where the Industry is Heading
Further information on Transportation Cyberecurity:
Aviation Cybersecurity – Understanding the Airport Ecosystem