Today, the world’s airports have some of the most stringent security processes of any public facility. But while strict physical measures have been put in place to ensure the safety of passengers, staff and infrastructure, the need for network connectivity could leave equipment such as luggage screening machines easy prey to cyberattacks.
In 2014, researchers Billy Rios and Terry McCorkle caused upset in the travel sector by reporting how simple it would be for a dedicated individual to hack airport x-ray scanners, masking contraband items on the screens of security personnel, and compromising the entire airport security operation. The news highlighted how a technological oversight could have potentially catastrophic consequences.
Earlier this year, the US Transportation Security Administration (TSA) announced a partnership with IT experts Unisys to implement a software package designed to ‘connect and protect’ airport screening equipment, and to maintain and operate said equipment to ensure airport security. The question remains though, of what it actually takes to secure this equipment, and how prepared airports are to face a looming cyber threat.
The silent threat: the dangers of insecure systems
Technology consultancy PA Consulting recently published a report focusing on the cybersecurity of airports, titled ‘Overcome the Silent Threat’, explaining how airports have long been the target of those seeking to cause high-profile public disruption, requiring highly refined physical security measures. Conversely though, it found airport cybersecurity measures to be comparatively lacking.
“I think cyber is very much an emerging threat,” says PA Consulting digital trust and cyber security expert Justin Lowe. “I think it’s way behind physical threats in some aspects, but the attackers out there are getting better. They’re starting to prey upon other infrastructure systems rather than just banking. And with the Internet of Things and connectivity, that’s really driving this as a growing risk. I’m not sure that all airports are quite on top of this.”
Many airports are increasingly implementing connectivity within security processes, placing equipment on a network to improve efficiency and traceability. Yet despite these admittedly significant advantages, much of this equipment was never designed to be part of a network, and is therefore lacking in any form of cyber defence.
Lowe explains: “Generally, if you can access them, they are relatively easy to compromise in some way. They often don’t have the up-to-date security software patches that even your home computer might receive, so there’s vulnerability in the operating system.”
Even equipment kept on a local network completely away from the internet is susceptible to an attack should a person with sufficient know-how gain access to the system. “Any equipment connected to a network can be potentially subject to hacking. Even a perfectly autonomous local network can be infected from a simple USB stick connected to a standalone PC,” comments David Lenot, airport application group manager at intelligence and security expert Genetec.
Held to ransom: indirect security threats
It’s not only targeted threats that could compromise airport security equipment; the greater danger could come from indirect outbreaks of ransomware such as the WannaCry incidents of early 2017. Ransomware is malicious software that seeks to disrupt or disable systems until a ransom is paid to regain access, and rather than being targeted they are distributed online, either through accidental download of files, or through infection via contact with other insecure systems.
“If ransomware were to get onto these systems, then that would cause complete carnage in the screening process. There would be mass disruption. You’d be relying on fall-back plans,” says Lowe. “The interesting thing about the ransomware attacks is that they were non-targeted attacks. The NHS, for example, got really hit by WannaCry, but no one was really targeting the NHS. Even if you think you’ve got no risk of being targeted, you could accidentally be hit.”
According to Lenot, another threat could simply be incompetence on the part of operators. Critical infrastructure such as an airport is always going to be the target of those with nefarious intent, and without proper education on cyber threats, staff could inadvertently cause security systems to be compromised.
“Cyber incompetence is seen as a proper risk today, and is covered by a growing number of specialised insurance agencies,” he says. “It could be as simple as an unsuspecting employee finding a USB stick left in the parking lot – possibly planted by a bad guy – and inserting it into the office computer.”
Constant vigilance: more to be done
Despite the fact that the majority of airports have a dedicated IT team, Lowe explains how sometimes, this still doesn’t help. “The IT departments in airports tend to focus on IT systems, not necessarily on some of the operational technology,” he explains. “Not just the screening area, but the technology that runs the airport, runway lighting, facilities maintenance, HVAC, building control, and physical security systems. The challenge for IT departments in airports is really to be able to manage the security of a much wider network.”
And, as airports become more connected and update their technology to keep up-to-date with the outside world, the more devices IT teams have to keep on top of.
Progress is being made in this space – Munich Airport in January opened up its dedicated Information Security Hub, designed to defend the airport and the wider aviation industry, from cybercrime – but airports around the world have to be constantly aware of cybersecurity any time technology is used throughout any airport operations. “Constant vigilance is needed not only through software but also through network port and cable management to ensure that untrusted network devices are not mixed which trusted ones,” says Lenot.
“It’s a case of doing the same great job that airports do in terms of physical security, but doing that in the electronic domain,” explains Lowe. “Risks creep in. ‘Oh I just need to make this connection here’ can lead to significant security risks. Airports looking to join these systems up need to make sure they’re doing it in the right way and look at the risks, plus the manufacturers of this equipment need to look at how they build their systems so that they can’t be interfered with digitally.”