The increasing number of cyber-attacks within the aviation industry are posing a great threat which can see passenger information being accessed, flight information being leaked, and operational data falling into the wrong hands.
To increase its security the UK’s largest airport group, Manchester Airport Group (MAG), has recently chosen independent cyber security services company, Bridewell, as its security partner to increase security event visibility by 1500%.
The partnership has seen the airport revolutionise its visibility and protection against cyber-attacks, through the development of a more modern and agile security operations centre in-house. The partnership sees real-time activity monitoring on devices and servers increasing from the previous 5,000 to 80,000 events per second.
With MAG serving more than 60 million passengers per year across its Manchester, London Stanstead, and East Midland airport locations it is imperative that the airport has a strong, unshakable security system to safeguard the business from cyber-attacks.
To find out more about this technology we spoke Martin Riley, director of managed security services, Bridewell, to discuss the project as well as the biggest cyber-security threats which are faced by the industry.
Frankie Youd (FY): How did the partnership between the airport and the company come about?
Martin Riley (MR):
We worked with MAG to deploy a SOC technology stack which is a blend of Microsoft Sentinel and Microsoft Defender XDR. Fundamentally everything is moving to the cloud and devices. What that has changed is it means that your data is no longer inside someone’s office, it’s no longer inside the data centre. That has to change how you secure that data.
We have done a very similar, much larger transformation for another airport group. We did a huge deployment of 15,000 plus users, aligned to the compliance requirements which are needed for CNI, specifically transport. We were one of the first deployments of this technology stack, we are a Microsoft Gold security partner.
The head of cyber in that business wanted to say: “Look at what we’ve done, it’s been a fantastic achievement”, and he invited other industry leaders into that presentation.
Tony Johnson at Manchester Airport Group said: “Wow, compared to what I get right now with my current tools and my partner, this is fantastic. Who do I need to work with to take a similar journey?” So that was how the introduction came about.
FY: Could you provide an outline of how this technology works?
MR: Fundamentally everything is moving to the cloud and it’s moving to a device. What that has changed is it means that your data is no longer inside someone’s office, it’s no longer inside the data centre. What has changed is how you secure that data.
Normally you would have network security, you would have firewalls and you will be feeding that information into a specific team looking for alerts and threats inside your data centre, inside your network that you control.
But with the cloud, everyone is moving to single sign on or multi factor authentication that integrates management and controls around your identity, your user account. We started to shift the security boundary from just looking at what was traditionally there to what we need to do now.
The new technology stack lets us do everything that we did before, but also embraces everything that we now need to from that security perspective. It really helps businesses embrace cloud by using the new technologies along with AI and machine learning, which is really important to be able to compact the large amounts of information that we’re getting to be able to drive that visibility.
The simplicity of deployment allows us to ensure that we were able to increase the visibility of everything that was on premises before.
FY: Is there training provided for the staff?
MR: Most of our services are delivered as a managed service, so it would be our security operations team that are managing it on a day-to-day basis. A lot of clients bring us in for consultancy to be able to do that rapid onboarding.
With MAG we worked with them to enable them to build their internal skills. Their security operations service was completely outsourced to their incumbent and by the end of the project with us they were running the first line analysis themselves with a team that they built from the ground up, just with backup support from ourselves.
There is training and development available for in house teams to be able to run and upgrade their security operations centres, so the cost of ongoing management is lower. Not only does the new SOC bring MAG some level of cost benefit but it reduces that security response time from a delay which is maybe 15 minutes to something that is actually within seconds.
FY: How can staff use the software to identify potential cyber-attacks?
MR: As a part of the technology stack we deployed there is a report button built into the users Outlook client so when they receive an email that looks suspicious they can just push a button and it fires it straight to us for our analysis and response.
If we deem it is phishing, we can assess it in a safe environment to track what it does, and how it does it – Microsoft will be analysing it at the same point of time. We then say yes that’s malicious, and then go back into every mailbox to find out who has had it, make sure that they no longer have the ability to be able to read it, and then start to push that investigation forward to who opened it, who clicked it, what actions can be taken so we can close that down a lot quicker before it becomes a problem.
FY: What are the main benefits of this new technology over the older system?
MR: I think one of the key benefits for this tech is that integrated visibility of not just what you have on site, but everything that you’re doing in the cloud. If you think around airports or anyone else in the travel industry the other element of that is obviously operational technology.
As you walk through an airport every security barrier, baggage check, scanner, camera, they are all connected to a network in one way shape or form which is segregated to be secure. Traditionally, they have been completely air gapped so there is no communication between the cloud and traditional IT and operation technology, those boundaries are blurring.
The key benefit of the technology stack that we’re working on with Microsoft, and what we’re able to overlay on the top, starts to integrate all three of those, so that from a security visibility and posture you’re able to see what’s going on, but importantly, rapidly respond to what’s going on.
Traditionally security said: “I can tell you we’ve got a problem, but it’s now your problem to fix.” Whereas this technology tech says: “I can see we’ve got a problem, and this is how we can contain it quickly.”
Cyber-attacks have been a problem for a long time, it’s just come a lot more to the fore as they go for bigger targets for more money. So being able to identify the fact that it’s going to come in through email, we can see that the user’s account has been compromised, we can see traffic on the network on their machine, we can see that they’re doing things in Office 365, and we can see that they’re starting to talk to servers and devices on site. Being able to see all of that and stop all of it at any point is critical.
FY: What are the most seen cyber-attacks within the industry?
MR: I think there are two trends that we’ve seen probably over the last 12 months that are common. There is a real shift to what’s called initial access also known as phishing. There is a real change in behaviour to be able to target business email compromise by phishing and that is because it is the easiest and cheapest cost of entry and lowest barrier for compromise.
What we’re also seeing is that a lot of companies that are having attacks are also seeing most incidents being third party compromise. It’s the suppliers, it’s the third parties that may have identity and access into your environment for any number of reasons. That’s the areas on the periphery that don’t have full governance and control, and they’re the ones that are probably leading to the entryways into some of the target companies.
The worst thing that an airline or an airport can have an issue with is the flow of passengers. For example, if someone was able to get access to the security gates that would stop people being able to get through, and that could quickly ramp up into a position whereby the airport has to shut. This has massive financial impact and you imagine what the reputational damages are too.