PA Consulting digital trust and cyber security expert Justin Lowe is quoted in Passenger Terminal World’s feature on airport cyberattack risk.
When asked which areas of an airport is most at risk of a cyberattack, Justin replies: “The most likely part of the infrastructure to be attacked is the free wi-fi system for passengers. The problem is that it provides an easy medium for attackers to hijack user data and accounts. It’s deliberately configured to be easy to access, so there is very little effective security. It can provide a means to capture information from passengers using it or it might provide a route into other airport systems if it’s not properly segregated from them."
He continues: “Current wi-fi security, up to WPA2 and EAP, was designed by engineers, not cryptographers, and it is badly flawed. There are publicly available attack tools for wi-fi and they are easy to use. We are yet to see how good WPA3 is, so cannot say if or how much of an improvement it will be, or how long it’s likely to be before it’s broken.”
He goes on to say: “Airports are particularly vulnerable to cyberattacks because of the internet access required by passengers and airport employees to facilitate travel. Unlike with the military, technology systems in commercial airports cannot be isolated – especially OT (operational technology) such as screens, runway lights and baggage handling systems. Attacking these causes chaos, has significant cost implications and almost always receives plenty of news coverage."
He adds: “What makes this even more difficult to manage for airports is that OT threats sit alongside the more traditional IT cyberattacks we see in other industries, normally conducted by organised criminals who seek to steal information that they can monetise. The dual cybersecurity focus for airports, as well as the physical security dimension they must prioritise makes their vulnerabilities all the more complex to manage.”
The article goes on to talk about technologies that can be used to protect airports from attack. Justin continues: “The most important thing to do at an airport is to keep the many elements separate so that the compromise of one part does not put any of the other operations at risk. Some areas, such as the security screening systems and air traffic control, are safety critical with a potential risk to life if they are compromised. Others have lesser impacts but are publicly available, such as the passenger wi-fi systems available in lounges and the concourse. The appropriate level of protection will depend on the criticality of the system in question.”
The piece looks at what investments airport operators should be making to protect themselves. He cautions: “The development in Bayesian anomaly detection systems and the emerging use of artificial intelligence (AI) to help identify unauthorised activity and software are helping to improve security, but it must be remembered that AI can also be used by the attackers, so the arms race continues.”
He continues: “There are more strategic barriers that also need to be overcome to establish effective long-term security. Firstly, the prioritisation of cybersecurity needs to mirror the emphasis airports currently place on physical security – and the two need to be integrated to ensure that safety and security are robustly aligned. Secondly, they need to invest in training and leadership developments to ensure that their people are not part of the problem.”
Then, when asked if airports should be investing in specialist staff and better training to tackle cybersecurity, Justin says: “Training and investment in people and the establishment of an effective security culture are paramount in all areas of airport and cybersecurity. Our recent report, Overcome the Silent Treat, shows that one of the critical weaknesses in aviation cybersecurity plans is that they overlook the human factor. Given the disparate workforce and lack of clear guidance on how to tackle to people issues, it’s no surprise that to date aviation has struggled in this area. There is, however, a way forward. PA has worked with the Centre for the Protection of National Infrastructure (CPNI) to develop a framework to manage insider threat and wider people challenges and how to detect issues before they arise.”