Dr Richard Piggin CEng MBCS discusses managing supply chain risk and recent regulation.
While digital transformation is enabling airports to enhance their appeal, improve their customer experience and innovate, safety and security remain paramount, with cyber security becoming a central focus - especially given the increasing number of high-profile incidents and new regulation.
The introduction of the European Network and Information Systems (NIS) Directive underlines the necessity for airports to actively manage cyber security risk in order to maintain services and ensure their rapid restoration in the event of a cyber security incident. Both airports and regulators must recognise that managing critical supply chain risk is both an important and a collaborative responsibility.
Threats to airports and impact on operations
All businesses, including airports, are at risk from cyber security incidents and it is essential to have a robust programme in place to maintain resilience. The commercial, operational, and reputational impacts of cyber security incidents could be highly damaging to airports (DfT, 2018); just one hour of disruption in a large airport could cost more than €1 million at peak operating times (ACI, 2019).
EASA estimate there are 1,000 cyber attacks each month on aviation systems worldwide (PA Consulting, 2018), and in the UK 75% of all large organisations identified and reported a cybersecurity incident in the 12 months up to September 2020 (DCMS, 2020). The Airports Council International (ACI) 2020 COVID-19 report further indicated that 61.5% of airports had experienced targeted attacks; of those attacks, respondents identified phishing (77%), malware (51%), and denial of service (21%) as the most common attacks (ACI, 2020).
What are the potential risks to airports?
The ACI also highlighted potential impacts of cyber security incidents on airports in the Cybersecurity for Airport Executives guidance (ACI, 2019):
- Operational disruption
This refers to the loss of major systems required for airport operation. This may include passenger-facing systems such as flight information displays, airline check-in facilities, security systems, or operational control systems.
In 2017 Ukraine’s Boryspil International Airport lost access to its systems, including flight scheduling information, due to the NotPetya malware (The Independent, 2017). In February 2022, the airport ground services and air cargo operator Swissport was impacted by ransomware which disrupted operations, leading to delays at Zurich airport (Reuters 2022). - Economic impact
Financial information theft or fraudulent transactions are common cyber security crimes and can have serious economic impacts, as can operational disruption as listed above.
When the NotPetya malware disrupted global shipping operations in 2017, the Maersk shipping company declared losses exceeding $300 million, while Fedex’s European TNT operations estimated that expected losses and recovery expenditure would exceed $500 million (Piggin, 2018). - Reputational damage
Loss of proprietary or sensitive information can impact an airport’s business reputation and stakeholder trust.
Such incidents are commonly reported in the press and rapidly circulated through social media; in 2017 the loss of a USB memory stick, containing over 1,000 unencrypted files of sensitive information, by a Heathrow airport employee was widely reported following its discovery by a member of the public (BBC, 2017; Mirror, 2017).
In March 2020, San Francisco International Airport was forced to publish a data breach notification indicating that some users of its websites may have been the victim of user login credentials during a cyber-attack (IAR, 2020). - Legal consequences
Data protection and privacy laws require secure management of all personal data and the retention of security information, and compromising this data can have legal consequences if the airport is found not to have had adequate controls in place.
Heathrow Airport was fined £120,000 for serious failings in its data protection practices over the loss of the USB stick and the data protection breach it represented (ICO, 2018). In 2018, The UK Information Commissioner’s Office (ICO) announced an intention to fine British Airways £183.39 million under General Data Protection Regulation (GDPR), for the breach of personal data of more than 400,000 customers and staff. The sanction was reduced to £20 million in 2020, following security improvements, representations and considerations of the economic impact of COVID-19, but it is still the largest penalty the ICO has issued to date.
The NotPetya cyberattack in June 2017, regarded as the largest reported cyberattack in history, has highlighted the threat to unconnected and non-targeted organisations. A principal concern for organisations affected by cyber security incidents is the risk of management liability lawsuits (DAC Beachcroft, 2019). Cyber security follow-on class actions are increasingly being brought against companies and their directors. Recent aviation examples include British Airways and EasyJet. Easyjet is facing a staggering £18 Billion claim (Covington, 2020).
Remaining alert against threats
In the United States, The US National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) published an alert recommending critical-infrastructure organisations take immediate action to secure their operational technology assets. If they fail to, the potential consequences for airports include (Stouffer et al., 2015):
- Malware on devices and systems
Malicious software (e.g. Virus, Worm, Trojan, Ransomware) being introduced onto devices or systems - Denial of control action
Device and system operation being disrupted by delaying or blocking the flow of information, denying device or system availability or the use of networks used to control device or system to the airport - System, application, configuration or software manipulation
Device, software or configuration settings being modified, producing unpredictable results - Spoofed device and system status information
False information being sent to either disguise unauthorised changes or to initiate inappropriate actions by airport staff - System functionality manipulation
Unauthorised changes being made to embedded software, programmable instructions in airport systems, alarm thresholds, or unauthorised commands being issued to devices, which could result in damage to equipment, premature shutdown of devices and functions, or even the disabling of airport equipment - Safety functionality modified
Safety-related functionality being manipulated in such a way that safety systems do not operate when needed or perform incorrect control actions, potentially harming employees, members of the public or airport equipment
Cyber risks can also include:
- Data exfiltration from systems
When connected to the equipment, data harvesting is a risk even if protection measures are in place and there are no other apparent routes for connectivity - Network breach
Network exploitation or reconnaissance and the delivery of tools to facilitate exploitation can take place with potentially no indications that it has happened - Network attack
The possibilities of a network attack include ransomware that prevents access to systems, or destructive malware which deletes data and can render computers unserviceable. Denial of service of airport equipment or triggering unintended operations can have safety consequences for staff, public and equipment - Connectivity to other systems
Connectivity to other systems such as security cameras, HVAC, building management systems, baggage handling systems, and airport infrastructure can be affected, compromising those systems and risking compromise to further systems - and ultimately, the airport
The growing reliance upon digital technologies and the integration of Internet of Things (IoT) devices will increase potential exposure to cyber risk. Airport digital technologies must now reach beyond the traditional administrative activities to support critical airport functions (ACI, 2018).
Critical infrastructure & EU Network and Information Systems (NIS) Directive
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Airports will need to demonstrate cyber security capability and practices to protect critical services and avoid potential noncompliance. This demands the identification of critical suppliers and collaborative management of shared cyber security risk (Piggin, 2018).
The UK National Cyber Security Centre (NCSC) has produced comprehensive NIS guidance with the Cyber Assessment Framework (CAF), defining top-level outcomes for good cyber security. The CAF aligns with established cyber security frameworks, including the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). Both the NCSC CAF and NIST CSF include guidance for managing supply chain risk.
Managing cyber security risk
Airport cyber security governance must extend to the supply chain, and proactively engage and collaborate with critical suppliers. Cyber security needs to be addressed from inception, beginning at the design and conceptual phase, progressing through every stage of system design, development and operation until the system is retired.
According to ACI (ACI, 2019), supply chain risk assessment practices should cover the following:
- Supply chain risk management processes managed by airport stakeholders
- Suppliers and third-party partners providing services and systems
- Ensuring that procurement measures meet cyber security programme objectives in accordance with the risk management plan
- Routine assessment of suppliers and third parties against obligations
Quality control measures ,or cyber security assurance activities, should be applied to suppliers and service providers. These include system configuration, physical access, authentication, system interconnectivity, malware detection and routine vulnerability patching requirements (ACI-RASC, 2019).
Recommendations
Airports should follow published guidance for supply chain risk management and collaborate early with key suppliers to assess cyber security maturity. Trusted suppliers should demonstrate a mature approach to cyber security, with a robust programme that addresses the entire security lifecycle and supports the shared responsibilities for both the airport and supplier.
Suitable critical suppliers will have invested in cyber security expertise and utilise a recognised security approach which is aligned to global cyber security frameworks. Key indicators will include an established governance structure for product cyber security, a secure product architecture with product testing and risk management, and competent personnel actively managing the entire cyber security lifecycle.
References
- ACI-RASC (2019) Guidance Document on Cybersecurity for Airport Security Managers. Hong Kong.
- ACI (2019) Cybersecurity for Airport Executives Handbook. Montreal.
- ACI (2020) Airport Cybersecurity COVID 19 Survey Report. Montreal: Airports Council International.
- ACI (2018) Airport Digital Transformation Best Practice. Montreal: Airports Council International.
- BBC (2017) Heathrow probe after ‘security files found on USB stick’ - BBC News. (Accessed: 11 October 2020).
- Covington (2020) EasyJet Latest Firm to Face UK Data Breach ‘Class Action’ - Lexology., Lexlology (Accessed: 11 October 2020).
- DAC Beachcroft (2019) FedEx securities class action following the NotPetya cyberattack. (Accessed: 11 October 2020).
- DCMS (2020) Cyber Security Breaches Survey 2020. (Accessed: 18 September 2020).
- DfT (2018) Aviation Cyber Security Strategy. (Accessed: 14 September 2020).
- IAR (2020) San Francisco International Airport victim of cyber-attack in March 2020., International Airport Review (Accessed: 11 October 2020).
- IBM (2020) Cost of Data Breach Report 2020. Armonk.
- ICO (2018) ‘Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices’, Information Commissioner’s Office (ICO) (Accessed: 11 October 2020).
- Mirror (2017) Terror threat as Heathrow Airport security files found dumped in the street - Mirror Online. (Accessed: 11 October 2020).
- NCSC (2020) NCSC CAF guidance. (Accessed: 18 September 2020).
- NSA and CISA (2020) ‘Cybersecurity Advisory NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems’, (July), pp. 1–5.
- PA Consulting (2018) Overcome the Silent Threat: Building cyber resilience in airports. London.
- Piggin, R. (2018) ‘Securing Critical Services’, ITNOW, 60(2), pp. 58–61. (Accessed: 1 June 2018).
- Reuters (2022) Hacker attack hits airport services provider Swissport (Accessed 1 April 2023).
- Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M. and Hahn, A. (2015) Guide to Industrial Control Systems (ICS) Security. Gaithersburg, MD: National Institute of Standards and Technology. (Accessed: 27 March 2018).
- The Independent (2017) Ukraine cyber attack: Chaos as national bank, state power provider and airport hit by hackers., The Independent (Accessed: 11 October 2020).
- WEF (2020) Advancing Cyber Resilience in Aviation: An Industry Analysis. (Accessed: 23 September 2020).
- Wilson Center (2017) Digital Futures Project. (Accessed: 23 September 2020).
This article was updated in September 2023 to reflect the latest information.