Proactive protection against cybersecurity threats in airports

As protecting against cybersecurity threats moves from being a sole priority of the IT department to a business-critical matter, those operating in airports are no longer just acting when risks arise, but instead proactively monitoring risk levels.

Awareness of threat levels varies between airports, but they will all benefit from a resilient and comprehensive cybersecurity defence, which ensures productivity, a competitive edge, and a strong reputation.  Often, a strong choice is to outsource cybersecurity for baggage handling systems to a specialised system provider, who has a deep level of knowledge and proven experience across multiple handling systems and devices.

WHY MUST AIRPORTS BE VIGILANT ABOUT CYBERSECURITY?

When sophisticated cybersecurity attacks occur, they lead to suspended operations and system downtime that can have long-lasting impacts. If successful attacks do occur and are not swiftly managed, they can lead to delayed flights (with knock-on effects), compromised personal data, impact on global commerce, and lost luggage. As a result of this, cybersecurity has become something which must be an organisational effort rather than just a fix that’s needed if problems arise.

Cybersecurity is often a complex setup, which may stretch the abilities of a busy airport. It’s important for airports to be aware of the risks that come from cyberattacks and the areas where more attention is needed in order to make informed decisions about how they are managing their security. While airports have stringent security measures for everyone who comes near an airport, these are often on a physical level – the digital infrastructure of the airport must be equally important.

WHY IS IT BENEFICIAL FOR AIRPORTS TO OUTSOURCE CYBERSECURITY?

One of the main tasks for cybersecurity teams is patching, where small updates are made to software programs or systems that prevent vulnerabilities and problems with functionality. This is something that an airport’s own internal IT teams are able to do; however, there are limitations in how they do it.

Internal teams may have one or a few employees who are responsible for patching, amongst a number of other responsibilities. As they have to manage this task alongside broader company IT responsibilities, a response may not be timely (statistics suggest that an average organisation takes between 88 and 208 days to patch cyber vulnerabilities). While this is no fault of a busy team working across a busy airport with several terminals and multiple flights every day, it does permit hackers more time to corrupt the system. In turn, this leads to further difficulties and the likelihood of delays, disgruntled passengers and lost luggage. The longer that downtime lasts, the more expensive it is for the airport as delays impact the turnaround schedule of flights, connecting flights, and take off windows.

While internal IT teams can patch systems, sometimes in a timely manner, they are not experts in baggage handling systems. If a baggage handling system fails to come back online after remediation, or does not operate as expected, internal IT teams often lack the system speciality required to explain why. To cover the variety of sortation system knowledge, an internal team would need specialists in PLCs, network devices, storage, servers, OS, Linux and more.

OUTSOURCING SECURITY ENSURES SPECIALIST ACCESS AND FUTUREPROOF SOLUTIONS

Specialist cybersecurity teams are composed of specialist professionals across all the areas that may be needed in an airport. For example, they may have patching experts who are used to carrying out hundreds of patches on baggage handling systems per year. This is a higher frequency than any internal airport team could have, and also means that if any problems arise, the specialists are likely to have seen them before and know how to quickly fix them.

There are also specialists for every level that is needed, meaning that when a baggage handling system needs patching, the airport would be provided with a combined team from the system supplier’s side. The team would include a system specialist who is used to working in the exact kind of system and could check it before and after patching, a specialist who identifies exactly what has caused the problem (if it is the case that there was any specific cause), and one who does the patching itself. This results in a much more robust approach to fixing any issues that arise, and a lower likelihood of there being ongoing issues that are problematic for the airport.

When signing up for a system provider’s cyber security, part of the package to check for should also be access to specialists in compliance and regulation. These security specialists are often part of the security package connected to a baggage handling system, as they are aware of any new regulations, how to manage data audits, and the best practices for documenting data security. They will know which new regulations are coming in and have experience with the best practices for handling them, which is a level of expertise that the airport will rarely have in-house.

Expert cybersecurity companies will also have learnings from their other airport customers, know the best practices for ensuring future-proof solutions, and act proactively to prevent successful attacks. Experts can act as soon as they learn of new threats or experience different attacks, meaning that they are on top of the knowledge and can act in a precautionary manner, rather than waiting to act only when an attack happens.

WHAT TO CONSIDER WHEN YOU’RE OUTSOURCING SECURITY

While outsourcing cybersecurity offers a variety of benefits, it is also not a decision to be taken lightly. Often, the baggage handling system provider will have an option for software services, and these can guarantee expert-level knowledge of that specific system.

Regardless of the choices that are being considered for outsourcing security, the following elements are important to consider when selecting a cybersecurity provider:

• Risk vs cost: Airport operators must individually assess how to balance risk against cost when it comes to cybersecurity. Opting for the highest level of protection often comes with a higher cost; for example implementing rapid-response patching protocols which can be costly and require system downtime to maintain optimal security. A slow-response patching protocol would be cheaper, but runs the risk of not remediating issues in time, which may result in more cost overall, as there is more chance of impacting or delaying multiple flights, passengers, and bags. While the system provider’s cybersecurity team will always be on hand to help with any issues that arise, the choice of risk level must be decided by the airport and be a decision they are comfortable making.
• Contracts: Security contracts must be specific. Where they are more generic or loose, airports run the risk of not receiving the protection level that they desire. Although it may seem as though more elements are covered in a broad contract, the contract actually needs to specify very clear Service Level Agreements and Responsibility Assignment Matrixes in as much detail as possible. This ensures that everyone knows the exact plan and responsibilities if an incident does occur, and there is no confusion at a vital time.
• Evidence: Proven experience is one of the most important things when choosing a provider. For example, if a cybersecurity provider can tell you that they patch more than 100 systems, or more than 3000 devices, it is a clear sign that they have sufficient experience and specialist profiles across different types of devices. As a result, they will most likely have experienced multiple issues before and be able to quickly and effectively respond to any difficulties.
• Compliance and maturity: Depending on the airport’s location, there are different compliance regulations that must be covered by cybersecurity activities. One example of this is ISO 27001, which is a framework to ensure information security and demonstrate that companies have a commitment to information security. If, when choosing a provider, they state compliance with the ISO or equivalent certification, this is a sign that they are of a sufficient maturity level and have demonstrated structured risk management.
• Partnership focus: Outsourcing security marks a partnership with external specialists, where the airport remains fully accountable for their security posture. There is an ongoing dialogue between the internal security team at the airport and the supplier, to ensure alignment on incident response plans, threat monitoring and continuous improvement. It does not mean the airport no longer takes responsibility, instead a strategic collaboration of shared responsibility provides a strong solution. Outsourced teams are experts; however, they also need to learn from their customers and understand where they can both improve. One example of this can be regular workshops, where the airport and the provider help each other become better and act strategically.

KEY TAKEAWAY

Cyber attacks are no longer a case of if, but a question of when. In response to this, there are multiple things airports can do to ensure their safety, and the exact steps taken will vary depending on the size of the airport, their budget, their risk profile, and so on.

One easy step for airports to take is to ensure their organisation has sufficient training at all levels. Often, attacks come through something as simple as an unprotected laptop and investing in airport-wide training will significantly improve security across the entire airport. Education and awareness of best practices are important for mitigating as much risk as possible.

While no airport can ever be completely immune to cyberattacks, keeping systems up to date significantly reduces the risk. For those seeking a proactive, forward-looking approach to cybersecurity, outsourcing to a specialised security company offers robust protection, minimises potential damage, and helps establish a resilient, future-ready defence strategy.