WIXLIB

3OUR RESEARCH 7OUR RESEARCHAirport case studiesParticipating airportsFour leading international airports collaborated with PAConsulting Group to assess the application of their cybersecurity practices. The airports were selected to provide anappropriate sample of types and scale.The airports that took part in the study carry outtheir operations in diverse contexts and are subject toregulations from different countries and continents.We’ve made the findings from research interviewsanonymous to protect business confidentiality.Focus areasWe asked the airports to outline their position in sevenfocus areas, which show how prepared an organisation is torespond to cyber threats and withstand their effects.These are: cyber-security trends and challenges: what short-termand long-term cyber-security challenges are affectingairports and the aviation industry leadership and governance: how there is a formalmanagement structure in place, and how the organisationis capable of managing the cyber-security riskcommensurate with the organisation’s business scope,assessed risk and risk appetiterisk assessment: how an organisation demonstratesa capability to identify its assets and understand the associated threats and vulnerabilities of them protection and mitigation: what steps are taken tomitigate the effects of threats from both within andoutside the organisationdetection and response: how an organisationdemonstrates an ability to recognise incidents fromtrends and anomalies, identify sources of informationand analyse it in a holistic manner recovery capabilities: what steps are taken to stop,investigate and recover from any attempted orsuccessful cyber attack in a timely manner operational technology security: whether anorganisation recognises and addresses the cybersecurity risks from its OT systems.From these findings we were able to gain insight into what drives cyber-security vulnerability within airports, and also whattools are available to mitigate the risk of attack. PA Knowledge Ltd April 2018

7 KEY TRENDS INCREASING SUSCEPTIBILITY TO CYBER ATTACK4SEVEN KEY TRENDSINCREASINGSUSCEPTIBILITY TOCYBER ATTACK17G SHAT ARIO INGNSTOOTIT/I5CUSTOMERCENTRICITYTALIAD OB43PERHY ECTIVITYNNCO6WERS PA Knowledge Ltd April 20182INCTECH REASNUSAOLOEDGE GYTSOR GAPIR EA S MUBSA HREMOTOWERTES8

SEVEN KEY TRENDS INCREASING SUSCEPTIBILITY TO CYBER ATTACK 91. Increased technology usageTechnology plays a key role in airport operations. Andunsurprisingly, airports have significantly increased theirreliance on technology and automation in recent years tomeet their business objectives.Operational technologiesAirports continue to invest in new and innovative OTs toincrease speed and reliability at common bottlenecks.Examples of this include the use of electronic tags forbaggage handling and tracking, remote check-in, smartboarding gates, faster and more reliable security screeningtechnologies and biometric immigration controls, whichdrive major efficiency benefits at airports.The reliance on cutting-edge, yet less mature, OTs mightbring significant improvements but could also exposeairports to new risks and unknown threats. In particular,many of these new developments automate existingpassenger processes. They give users a more direct interfacewith complex automated operational systems, for example,self check-in, self bag drop or self-boarding.Data and analytics: in-house and outsourcedAirports are also introducing big-data solutions to providemore accurate enterprise decision-making, and releasing newapps and services to improve a now ubiquitous self-servicemodel. On-site infrastructures are increasingly transitioningto the cloud for improved flexibility and scalability. However,these initiatives are not exempt from risk. Moving servicesto the cloud also makes airports more reliant on securecommunications. Big-data models require the integration ofhuge amounts of data from different sources, and developingnew open services and apps can also increase exposure tonew and present sources of attack.This trend is affecting both IT and OT environments,where airports are outsourcing to take advantage ofnew technologies and then having to rely on the securityof external third parties. Regardless of whether thesetechnologies are outsourced or insourced, their adoptionbrings a set of new and unknown risks that must beappropriately addressed. PA Knowledge Ltd April 2018Air traffic control connectivity: data-link messaging andremote towers and moreCommunication between the air traffic control tower andaircraft is increasingly shifting away from traditional radiovoice communications towards data-link technologies. Thisis facilitated by the use of electronic flight strip systemsin tower environments, which support the automaticgeneration of clearance messages. The use of data-link inthis way provides clear benefits to both controllers andpilots, in terms of efficiency and the removal of humanerror and ambiguity in voice messages. However, it alsointroduces significant new risks, in particular, the loss of thecredibility check that is inherent to a voice communicationsenvironment, where all parties are using a shared voicechannel. While a pilot may be able to identify an unfamiliaror suspicious-sounding clearance received as a voicecommand from another human, a data-link message from amalicious source may be impossible to identify.At many large airports, for example, Heathrow and Gatwick,a significant majority of aircraft now receive their departureclearance via a data-link service. New concepts such asD-TAXI (part of the Single European Sky ATM Research,SESAR, programme) will enable controllers to communicatewith aircraft via datalink during the taxi phase. This willfurther increase the opportunities for cyber-terrorismactivities through the issuance of false clearance messages.In addition to its role in replacing voice communications,there is also an increasing use of data-link technology forsurveillance purposes. Automated dependent surveillancebroadcast (ADS-B) involves an aircraft transmitting itslocation and various other parameters on a regular basis(typically once per second). This information can be receivedby anyone with access to an inexpensive receiver and usedto track the movement of aircraft around the airport. Inaddition to its use on aircraft, ADS-B transponders areincreasingly being fitted to airport ground vehicles in orderto allow air traffic controllers and airport operators tomonitor their location. It is therefore becoming easier forthird parties to gain a highly accurate picture of operationaltraffic around the airport, posing a significant new securityrisk to airport operators.

10SEVEN KEY TRENDS INCREASING SUSCEPTIBILITY TO CYBER ATTACK2. Hyper-connectivityAiming to make the best of the available information,airports have moved towards centralised architectures. Theseconnect different systems through middleware platforms,integrating all the information in central operational datarepositories, often called airport operational databases.These centralised systems take account of the differentinformation requirements of the users involved in theoperations, allowing for real-time and two-way data sharingacross diverse systems and networks of the different internaland external airport stakeholders (eg ground handlers,airlines, etc).At the same time, travellers’ expectations for connectivityare ever increasing, and they demand access to high3. Data-sharing obligationsAir navigation service providers (ANSPs) are increasinglyunder pressure to reduce charges and to integrate andharmonise national airspace and air navigation services.System Wide Information Management (SWIM) has evolvedinto a global concept that has been adopted by theInternational Civil Aviation Organization to facilitate greatersharing of air traffic management (ATM) system information.The SWIM programme is an integral part of thistransformation. It will connect air traffic control systemsand will also enable interaction with other decision-makers,including other government agencies, airports and airspaceusers. SWIM is now part of development projects in both theUnited States (Next Generation Air Transportation System,or NextGen) and the European Union (SESAR programme). PA Knowledge Ltd April 2018bandwidth networks wherever they go. Even at airports,passengers want easy and high-speed internet andmultimedia options. They’re also increasingly looking forreal-time information, and to interact with the airports andrelated stakeholders directly and on the go.A hyper-connected model allows airports to meet thoseneeds, share information and provide services to thedifferent parties in an efficient way (often sharing the sameinfrastructure). However, this requires trust in other parties’systems, which can mean the operator has less controlacross the whole architecture, and creates the possibilitythat new systems will affect existing ones. This brings alarger attack surface for cyber criminals to exploit and thepossibility that they could affect multiple stakeholders.The report “SESAR Strategy and Management FrameworkStudy for Information Cyber-Security Application to SystemWide Information Management Research and Development”outlines how SWIM will bring new interoperability, enablinginformation management through common models, facilitatedby intranet and internet connections. This system of systemswill consist of sparsely connected nodes using a commonshared information model to exchange information over sharedconnections across different geographies. As a consequence,the current attack surface will increase significantly as thesenodes are exposed to malware and cyber attacks. These couldpotentially allow access to currently isolated networks andbring new possibilities of lateral movement across the targets.This also creates a need for the different stakeholders involvedto be confident that information being shared can be trusted,and has not been altered along the communications channels.

SEVEN KEY TRENDS INCREASING SUSCEPTIBILITY TO CYBER ATTACK 114. Customer centricityAs with any other business, airports need to understand theircustomers to offer the right range of services. A major generatorof revenue for some airports is non-aviation sources such asretail concessions. However, due to the changing demographicof air passengers and the use of low-cost airlines, this revenueis diminishing as passengers prefer to buy online rather thanin-store. This means it is important for operators to understandhow to maximise non-aviation revenue in times of constraints onregulated charges and develop new business models.the airport. Following in the steps of airlines, airports arenow increasingly seeking to engage with passengers throughairport-related apps, providing consistent messaging todevelop brand recognition and sharing notifications of flightdelays and services.Partly, that means recognising that the customer experienceof a passenger starts at home instead of when they enterTo achieve this, operators need to be able to trackpassengers throughout the airport in order to gather and linkinformation to understand the preferences and behaviourof individual customers. They then need to customise andadapt services provided to them. As a result, airports willhold more personal identifiable information and have to dealwith related security issues.5. IT/OT towersOT systems. The record amount of information on ICS and OTSome airports generate significant income from non-aviationsources, such as retail concessions. Traditionally, IT systemshave been isolated from OT systems. However, the integrationof the two can bring significant efficiencies, allowing realtime data gathering, processing and decision-making.The ability to constantly monitor a system’s health, trackoperational processes, receive instantaneous information andexchange data with IT systems opens a whole new world ofopportunities to improve airport operations.online, including user and operation manuals, can potentiallyThis integration is becoming easier with the growing use ofcommercial off-the-shelf products, and typically IT-relatedprotocols (eg the Internet Protocol) found in most modernoperators were the most targeted sector of cyber attacks in PA Knowledge Ltd April 2018facilitate cyber attacks.As a result of this convergence of IT and OT, ICS havealso become vulnerable to the same type of attacks as IT,significantly expanding the threat landscape and increasingthe potential impact on the operations. Reports of ICSrelated attacks are on the rise, especially in recent years.According to the U.S. Department of Homeland Security, OT2015, making IT and OT integration-related security moreimportant than ever.

12SEVEN KEY TRENDS INCREASING SUSCEPTIBILITY TO CYBER ATTACK6. Remote towersANSPs, airport owners and operators, and relatedstakeholders face growing pressure to reduce their operatingcosts while maintaining safety and efficiency. In this context,the interest in digital remote towers as a replacement for theprimary control tower, or even as a contingency, has grownsignificantly in the last few years.Ornskoldsvik Airport in Sweden was the first in the worldto get this system approved as the primary provider of airtraffic control. And since 2015, flights have been controlledby a remote tower 110 miles away. Today, there are severaltest sites around the world (Leesburg International Airport,the United States; Værøy heliport, Norway; Alice Springsairport, Australia), and many major airports across theworld, that are considering adopting this approach. In 2009,the virtual contingency facility at Heathrow was the firstvirtual tower to achieve certification to provide contingencyoperations if the main visual control tower becameinoperable. This facility, which is much more cost-effectivethan building a secondary tower, can provide capacity of upto 70 per cent of the main tower.In May 2017, NATS Holdings announced that London CityAirport will become the first in the UK to use a remotetower as its primary control facility, with a prototype systemalready in place and plans for operations to move from theexisting on-site tower by 2019.A number of airports are also exploring the option ofproviding remote control and monitoring for air trafficcontrol systems in the tower and on the airfield. This allowsengineers in a central location to oversee the status ofsystems at multiple airports, performing remote diagnosticsand intervention where required. This is particularlybeneficial for smaller airports, where the provision of on-siteengineering support at all times is uneconomical.There are multiple benefits in terms of enhanced safety,flexibility or scalability and the initial investment required.Additionally, this kind of tower inspires new businessmodels, allowing for the management of different airportssimultaneously and creating possibilities foron-demand services in the future.Unlike physical control towers, these critical systemsbecome highly dependent on the data links that transmit theinformation from one place to another. So a cyber attack (denialof service, network flooding) or physical attack (cable cutting,damaging network equipment) could disrupt operations. Thatwould make it impossible to manage airport traffic. PA Knowledge Ltd April 20187. Airports as mega hubsIn their ambition to grow their business, airports havebecome hubs, providing services for particular airlines orregions, and bringing a significant increase in operationalvolume and the need for greater integration. As the airportsbecome larger, collaborative decision-making technologiesand processes are commonly implemented to share greaterdata flows between the different stakeholders involvedin airport operational processes. They also utilise moreintegrated systems.Larger infrastructure and greater operational complexityis also needed to achieve more passenger throughput,which results in the installation of more efficiency-orientedtechnology and greater automation of the IT and OT systems.These airports are then more exposed to attacks, and theiriconic status makes them more appealing for attackers.Two of the most significant examples of this trend are inIstanbul and Dubai. In Istanbul, the new airport currentlybeing constructed will be able to handle 150 millionpassengers and will serve as a hub for connecting flightsbetween Europe and Asia. The expansion of DubaiInternational Airport, the main hub for Emirates, will allowit to process up to 123 million passengers in 2023, byimproving technology and streamlining processes.

5HOW DO THESE TRENDS IMPACT AIRPORT CYBER SECURITY? 13HOW DO THESE TRENDS IMPACTAIRPORT CYBER SECURITY?PA’s insights focus on the nature of thecyber-security issues and challengesthat need to be addressed by new andexisting airports. Drawing on our extensiveexperience of working on the securityof critical national infrastructure acrossnumerous sectors, we set out the findingsof industry.Increasing digitalisationmeans cyber risks are beingtaken more seriouslyCyber security is seen as a top 10 risk at theexecutive levelAt all the airports we studied, cyber-security was viewedas a top 10 risk at the executive level. The understandingof cyber-security risks varied among these individuals.However, there was clear support that flowed down throughthe governance structure. In considering cyber security risks,it was noted that mature organisations did not view cybersecurity in isolation, recognising that it may lead to therealisation of other top 10 risks.Mature organisations adopt life-cycle approaches inclusiveof cyber-security considerationsIt is well known that retrofitting cyber security to a system isboth more complex and costly than designing it in from thebeginning. Many organisations, however, still fail to do this,as threats to systems continuously change over the typicallifespan of OT systems. Mature organisations design forsecurity from day one, incorporating flexible solutions thatwill ensure risks are acceptably managed now, and as threatsevolve over time. PA Knowledge Ltd April 2018Cyber security should be integrated into day-to-dayprocesses and proceduresWhile the exact methods of a cyber attack may only be ofinterest to cyber-security professionals, other parts of theorganisation need to understand that it is a key business riskthat can affect day-to-day operations. Organisations canhelp facilitate this by incorporating cyber-security aspectsinto existing processes and procedures to better managethe risks. Cyber security needs to be a part of existingincident response and business continuity plans. Thatmeans all incidents are managed in the same way, whethercyber security is involved or not. The benefits are that theorganisation then has clear procedures that are applicablein multiple circumstances and only draw on cyber-securityspecific aspects when needed.Airports are well connectedto threat intelligenceAirports are well connected to government authorities andnational computer emergency response

6. practical steps to overcome cyber-security challenges 17 take a holistic, enterprise-wide, risk management approach17 to cyber security ensure that an airport is secure by design 18 establish strong cyber-security leadership and 19 effective governance adopt a