Airport cyber resilience and managing supply chain risk

While digital transformation is enabling airports to enhance their appeal, improve their customer experience and innovate, safety and security remain paramount, with cyber security becoming a central focus - especially given the increasing number of high-profile incidents and new regulation.

The introduction of the European Network and Information Systems (NIS) Directive underlines the necessity for airports to actively manage cyber security risk in order to maintain services and ensure their rapid restoration in the event of a cyber security incident. Both airports and regulators must recognise that managing critical supply chain risk is both an important and a collaborative responsibility.

Threats to airports and impact on operations

All businesses, including airports, are at risk from cyber security incidents and it is essential to have a robust programme in place to maintain resilience. The commercial, operational, and reputational impacts of cyber security incidents could be highly damaging to airports (DfT, 2018); just one hour of disruption in a large airport could cost more than €1 million at peak operating times (ACI, 2019).

EASA estimate there are 1,000 cyber attacks each month on aviation systems worldwide (PA Consulting, 2018), and in the UK 75% of all large organisations identified and reported a cybersecurity incident in the 12 months up to September 2020 (DCMS, 2020). The Airports Council International (ACI) 2020 COVID-19 report further indicated that 61.5% of airports had experienced targeted attacks; of those attacks, respondents identified phishing (77%), malware (51%), and denial of service (21%) as the most common attacks (ACI, 2020).

What are the potential risks to airports?

The ACI also highlighted potential impacts of cyber security incidents on airports in the Cybersecurity for Airport Executives guidance (ACI, 2019):

• Operational disruption
  This refers to the loss of major systems required for airport operation. This may include passenger-facing systems such as flight information displays, airline check-in facilities, security systems, or operational control systems.
  
  In 2017 Ukraine’s Boryspil International Airport lost access to its systems, including flight scheduling information, due to the NotPetya malware (The Independent, 2017). In February 2022, the airport ground services and air cargo operator Swissport was impacted by ransomware which disrupted operations, leading to delays at Zurich airport (Reuters 2022).
• Economic impact
  Financial information theft or fraudulent transactions are common cyber security crimes and can have serious economic impacts, as can operational disruption as listed above.
  
  When the NotPetya malware disrupted global shipping operations in 2017, the Maersk shipping company declared losses exceeding $300 million, while Fedex’s European TNT operations estimated that expected losses and recovery expenditure would exceed $500 million (Piggin, 2018).
• Reputational damage
  Loss of proprietary or sensitive information can impact an airport’s business reputation and stakeholder trust.
  
  Such incidents are commonly reported in the press and rapidly circulated through social media; in 2017 the loss of a USB memory stick, containing over 1,000 unencrypted files of sensitive information, by a Heathrow airport employee was widely reported following its discovery by a member of the public (BBC, 2017; Mirror, 2017).
  
  In March 2020, San Francisco International Airport was forced to publish a data breach notification indicating that some users of its websites may have been the victim of user login credentials during a cyber-attack (IAR, 2020).
• Legal consequences
  Data protection and privacy laws require secure management of all personal data and the retention of security information, and compromising this data can have legal consequences if the airport is found not to have had adequate controls in place.
  
  Heathrow Airport was fined £120,000 for serious failings in its data protection practices over the loss of the USB stick and the data protection breach it represented (ICO, 2018). In 2018, The UK Information Commissioner’s Office (ICO) announced an intention to fine British Airways £183.39 million under General Data Protection Regulation (GDPR), for the breach of personal data of more than 400,000 customers and staff. The sanction was reduced to £20 million in 2020, following security improvements, representations and considerations of the economic impact of COVID-19, but it is still the largest penalty the ICO has issued to date.
  
  The NotPetya cyberattack in June 2017, regarded as the largest reported cyberattack in history, has highlighted the threat to unconnected and non-targeted organisations. A principal concern for organisations affected by cyber security incidents is the risk of management liability lawsuits (DAC Beachcroft, 2019). Cyber security follow-on class actions are increasingly being brought against companies and their directors. Recent aviation examples include British Airways and EasyJet. Easyjet is facing a staggering £18 Billion claim (Covington, 2020).

Remaining alert against threats

In the United States, The US National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) published an alert recommending critical-infrastructure organisations take immediate action to secure their operational technology assets. If they fail to, the potential consequences for airports include (Stouffer et al., 2015):

• Malware on devices and systems
  Malicious software (e.g. Virus, Worm, Trojan, Ransomware) being introduced onto devices or systems
• Denial of control action
  Device and system operation being disrupted by delaying or blocking the flow of information, denying device or system availability or the use of networks used to control device or system to the airport
• System, application, configuration or software manipulation
  Device, software or configuration settings being modified, producing unpredictable results
• Spoofed device and system status information
  False information being sent to either disguise unauthorised changes or to initiate inappropriate actions by airport staff
• System functionality manipulation
  Unauthorised changes being made to embedded software, programmable instructions in airport systems, alarm thresholds, or unauthorised commands being issued to devices, which could result in damage to equipment, premature shutdown of devices and functions, or even the disabling of airport equipment
• Safety functionality modified
  Safety-related functionality being manipulated in such a way that safety systems do not operate when needed or perform incorrect control actions, potentially harming employees, members of the public or airport equipment

Cyber risks can also include:

• Data exfiltration from systems
  When connected to the equipment, data harvesting is a risk even if protection measures are in place and there are no other apparent routes for connectivity
• Network breach
  Network exploitation or reconnaissance and the delivery of tools to facilitate exploitation can take place with potentially no indications that it has happened
• Network attack
  The possibilities of a network attack include ransomware that prevents access to systems, or destructive malware which deletes data and can render computers unserviceable. Denial of service of airport equipment or triggering unintended operations can have safety consequences for staff, public and equipment
• Connectivity to other systems
  Connectivity to other systems such as security cameras, HVAC, building management systems, baggage handling systems, and airport infrastructure can be affected, compromising those systems and risking compromise to further systems - and ultimately, the airport

The growing reliance upon digital technologies and the integration of Internet of Things (IoT) devices will increase potential exposure to cyber risk. Airport digital technologies must now reach beyond the traditional administrative activities to support critical airport functions (ACI, 2018).

Critical infrastructure & EU Network and Information Systems (NIS) Directive

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Airports will need to demonstrate cyber security capability and practices to protect critical services and avoid potential noncompliance. This demands the identification of critical suppliers and collaborative management of shared cyber security risk (Piggin, 2018).

The UK National Cyber Security Centre (NCSC) has produced comprehensive NIS guidance with the Cyber Assessment Framework (CAF), defining top-level outcomes for good cyber security. The CAF aligns with established cyber security frameworks, including the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). Both the NCSC CAF and NIST CSF include guidance for managing supply chain risk.

Managing cyber security risk

Airport cyber security governance must extend to the supply chain, and proactively engage and collaborate with critical suppliers. Cyber security needs to be addressed from inception, beginning at the design and conceptual phase, progressing through every stage of system design, development and operation until the system is retired.

According to ACI (ACI, 2019), supply chain risk assessment practices should cover the following:

• Supply chain risk management processes managed by airport stakeholders
• Suppliers and third-party partners providing services and systems
• Ensuring that procurement measures meet cyber security programme objectives in accordance with the risk management plan
• Routine assessment of suppliers and third parties against obligations

Quality control measures ,or cyber security assurance activities, should be applied to suppliers and service providers. These include system configuration, physical access, authentication, system interconnectivity, malware detection and routine vulnerability patching requirements (ACI-RASC, 2019).

This article was updated in September 2023 to reflect the latest information.