Having more staff work from home means greater exposure to hacks, phishing activities and other cybersecurity challenges capable of bringing a whole IT system down if the appropriate measures are not put in place.
This inspired the Airport Council International (ACI) – the trade association representing the majority of global airports – to write up and publish a set of IT best practice guidelines for operators and their staff.
ACI World director of Security, Facilitation and IT Nina Brooks discusses the main points of the latest Airport Information Technology recommendations during COVID-19 and how hubs are currently dealing with reduced traffic and preparing for a post-coronavirus world.
Adele Berti: What are the main takeaways from the guidance?
Nina Brooks: The main thrust of it is that IT more than ever has become really critical. It’s very important that IT is part of all of the crisis management activity but also plays a key part of the response to what’s happening and must be included as well in the recovery plan. More than ever, people are relying on remote working, they’re relying on collaboration tools and it’s just really imperative that IT is part of all of that management and planning effort.
AB: What are the key measures that an airport operator should absolutely put in place when it comes to making sure that their IT systems are protected?
NB: As far as cybersecurity goes, I don’t think there’s anything different now than what should be happening already. So, a robust cybersecurity framework would already include good protection for systems and a management approach, it would look at key vulnerabilities and it would have solid training for end users to know what good IT practices are. It would also have contingency and resilience for safety-critical operational systems.
So all of these [measures] still stand. It’s not new, it’s just heightened. People really need to be aware that especially with remote working and with, unfortunately, increased phishing activity – we’ve seen attacks reporting to be related to COVID-19 – they can be vulnerable to those things. So it’s about making sure you have all those right things in place.
AB: What are the current cybersecurity threats to airport operators as a result of Covid-19?
NB: There’s a mixture. One is obviously social media and email phishing attacks and even telephone calls. We’re seeing them coming in from all directions, for example you’ve got somebody pretending to be the World Health Organization or the government giving you money. So there’s definitely some increased activity around that and users need to be aware that those things are happening and be careful with what they click on.
And then obviously, you’ve now got a lot of teleworking going on and a lot of staff working at home. That can introduce vulnerabilities, so you have to make sure that you have good VPN connections, that you have security and maybe that only the people that need access to certain systems have access to those systems. So just have a really good policy to make sure that people have access to what they need, and that those connections are secure.
Also, if possible, limit use of personal devices and have organisations provide devices that can securely access systems. And then we need to be aware that a lot of the collaboration tools that are being used (like Zoom), there’s all sorts of debate about what’s secure and what isn’t secure. So just be aware that when you’re working in this kind of way there may be vulnerabilities and not everything can be assumed to be completely private. And finally, there are limited resources. Obviously, there have been a lot of layoffs and resources are going to be a challenge for sure. But, of course, cybersecurity and all those things need to remain the top priority.
AB: What other potential IT-related threats does the guidance address?
NB: There are some challenges for sure, one of them being, again, limited resources. We’re seeing quite a few international airports now either closing or really reducing what concourses and halls and terminals are open. So of course, if you’re decommissioning systems, then there are challenges around that with restarting and making testing and keeping them certified and maintained.
AB: The guidance covers the ‘deployment of innovative technologies and solutions for autonomous operations’. Can you elaborate on this point? What role can new technologies play?
NB: Something what is highlighted is the need for efficient processing, to not have people in crowded places and to have touchless processes. When we come back from this [crisis], we will be in a slightly different world and we’ll be much more conscious of things like social distancing, and in not touching surfaces and perhaps close contact with other people.
And I think technology has got a big role to play in that; if you look at things like biometrics, automated e-gates, standoff screening and even health screening, there’s a whole raft of technologies that may become part of the new normal process in not just airports, but in society in general. So there’s definitely a role that technology can play to make travel smoother, faster, more efficient, and frictionless and I think that’s going to be really important.
AB: The guidance also explores how airports will need to plan to restore systems to full capacity. What measures will be needed to achieve this in the months/years to come?
NB: The key is going to be very careful planning. As we start to bring things back online there is going to be a case of making sure that the right staff are available, that the third party suppliers and contractors are available, that we look at the really critical systems, safety and security operations and business-critical systems that need to come back.
There’s going to need to be testing to make sure everything is working as it should be. There may be a need for compliance checks and recertification of systems that have been offline, depending on how long this goes on for. [Our next guidance is] really looking at not just it but in general, how do you start operating an airport again? That even means things like for example right now, we put a lot of aircraft parked on taxiways; how do you safely start to operate an airport again, if you’ve got aircraft parked? So it’s all those things that we’re looking at holistically to try and provide good guidance and advice to airports as they come back online.
AB: How are global airport operators adapting to having largely reduced on-site staff?
NB: In the IT world, most have systems in place to enable them to work from home, we have good networks and so on. But we do have a lot of airport closures and terminal closures and really significant reduction in aircraft movements. So of course, that means impacts throughout the entire industry, whether it’s airlines or airports or ground handlers. The industry is in crisis. There’s no doubt. But, we’re doing the best we can with using the technology. We’ve got to keep going and be ready for recovery.
AB: Are there any more guidelines that you’re working on?
NB: We just actually released some operational guidelines. They look more at things like aprons and ramps and taxiways and so on. As we move forward, we’re just about to have a webinar on business continuity which considers all aspects of business continuity. And then we’re really turning our attention to what recovery looks like, what do airports need to do as they start to come back online. And certainly IT will be part of that.