Airport Technology interviews Justin Lowe, digital trust and cyber security expert at PA Consulting, following the release of PA’s recently published report on the cybersecurity of airports, titled ‘Overcome the Silent Threat’.
The journalist, Elliot Gardner, notes that PA’s report explains how airports have long been the target of those seeking to cause high-profile public disruption, requiring highly refined physical security measures. Conversely though, Elliot continues, it found airport cybersecurity measures to be comparatively lacking.
Justin Lowe comments: “I think cyber is very much an emerging threat. I think it’s way behind physical threats in some aspects, but the attackers out there are getting better. They’re starting to prey upon other infrastructure systems rather than just banking. And with the Internet of Things and connectivity, that’s really driving this as a growing risk. I’m not sure that all airports are quite on top of this.”
As discussed in PA’s report, and explained in the article, many airports are increasingly implementing connectivity within security processes, placing equipment on a network to improve efficiency and traceability. Yet despite these admittedly significant advantages, much of this equipment was never designed to be part of a network, and is therefore lacking in any form of cyber defence.
Justin explains: “Generally, if you can access them, they are relatively easy to compromise in some way. They often don’t have the up-to-date security software patches that even your home computer might receive, so there’s vulnerability in the operating system.”
Later in the article, Justin talks about ransomware. “If ransomware were to get onto these systems, then that would cause complete carnage in the screening process. There would be mass disruption. You’d be relying on fall-back plans,” Justin says. “The interesting thing about the ransomware attacks is that they were non-targeted attacks. The NHS, for example, got really hit by WannaCry, but no one was really targeting the NHS. Even if you think you’ve got no risk of being targeted, you could accidentally be hit.”
Justin goes on to explain that despite the fact that the majority of airports have a dedicated IT team, sometimes, this still doesn’t help.
He says: “The IT departments in airports tend to focus on IT systems, not necessarily on some of the operational technology,” he explains. “Not just the screening area, but the technology that runs the airport, runway lighting, facilities maintenance, HVAC, building control, and physical security systems. The challenge for IT departments in airports is really to be able to manage the security of a much wider network.”
The author then notes that as airports become more connected and update their technology to keep up-to-date with the outside world, the more devices IT teams have to keep on top of.
Justin advises: “It’s a case of doing the same great job that airports do in terms of physical security, but doing that in the electronic domain.” He explains: “Risks creep in. ‘Oh I just need to make this connection here’ can lead to significant security risks. Airports looking to join these systems up need to make sure they’re doing it in the right way and look at the risks, plus the manufacturers of this equipment need to look at how they build their systems so that they can’t be interfered with digitally.”
Read the full article here