PA Consulting’s Justin Lowe, a digital trust and cybersecurity expert, comments on global airport cybersecurity concerns.
The article notes that there are a number of security risks impacting airports. Now, they are also facing an ever-tightening regulatory regime. The EU’s NIS Directive, which regulates providers of “essential services” (OES) in transportation, mandates strict GDPR-size penalties for noncompliance.
Justin says that airports designated as OES should be conducting security assessments and defining security improvement plans. “It is expected that more airports may well come under the regulation soon, so smaller airports should consider following a similar process.”
He adds that “smaller airports will also soon come in scope of regulation, as International Civil Aviation Organization (ICAO) and European Aviation Safety Agency (EASA) guidance focuses on a wider and more holistic approach to cyber as pertains to aviation security and safety. The EASA 2019-07 amendments are due to come into effect in Q4 2021 and will seek to more sufficiently address security incidents that could potentially affect aviation safety.”
Justin goes on to say that security leaders in the sector must also conduct risk assessments to identify and address critical assets and systems throughout the supply chain, carry out security reviews using recognized frameworks like NIST or ISO 27001, and build a security awareness program for all staff. Security monitoring and well-rehearsed incident response and crisis management plans are also a must. CISOs should pay particular attention to the growing OT risks. “With the increased use of OT, systems that are owned and operated by engineering and operational departments are increasingly facing cyber-risks. A security management system is required to ensure these systems, which are mission and safety critical, are appropriately protected from cyber-risks.”
Helping to protect and grow your organisation in a digital world