David Oliver, global transport security lead at PA Consulting Group, discusses the crucial role people play in preventing – and sometimes causing – cyberattacks at airports.
Air travel can often be a stressful business with passengers worrying about security, terror threats, and flying itself. Recent examples of data breaches and chaos caused by hackers mean that cyber threats are now adding to those concerns.
Airport operators cannot ignore the real and growing threat that cyberattacks pose both to them and to the wider aviation industry. As airports become increasingly digitally connected, they will need to change how they tackle these attacks and adopt the same rigor in dealing with them as they apply to terror threats.
The growing use of technology across airports and the upgrades of legacy systems makes this task highly complex and those responsible for cybersecurity need to have a deep understanding of the issues and solutions, and be able to provide clear leadership to all those involved.
The human factor
Our experience working with several major international airports, and set out in our recent report Overcome the Silent Threat, is that one of the critical weaknesses in cybersecurity plans is often that they overlook the human factor. It is easy to believe that because the issue is technology-related, technology will provide the solution. But cybersecurity is not a binary issue and it is vital to understand that people create the biggest vulnerabilities, though they can also be a significant part of the solution.
This is a particular challenge for airports, which contain a complex mix of employees, contractors, security personnel and passengers – all of whom use different systems with different vulnerabilities. It is vital that all those people consistently know how to respond to attack, and how to prevent one from happening.
However, they do not always have the skills, training or levels of awareness of cybersecurity they need to do this. Added to this is the reality that humans are easily exploited by cyberattackers, creating the potential for both unintentional or careless actions to allow attackers to access the system. Equally, there is a need to protect the organization against more malicious insider attacks.
Recruitment programs, training and collaboration between physical and cybersecurity personnel are all ways to improve an airport’s cyber resilience. This, though, needs to be underpinned by a clear culture, led from the top, that demonstrates the importance of good cybersecurity in everything employees do.
Climbing the ladder
Our work has shown that good cybersecurity in airports is often most influenced by the person in charge. That means awareness at leadership level is critical and that this needs to be supported by governance structures that develop and reinforce resilience.
This raises the question about who is ultimately responsible for building an airport’s resilience to attack. There should be one, senior – ideally C-Level – executive, who coordinates the whole airport’s approach. This then reduces the potential for internal conflicts that can arise when responsibility is shared. However, the reality is that this kind of clarity is not always in place at the moment.
One of the reasons why airports have not always put in place a systematic or best practice approach is that there has been a lack of clear international standards for cybersecurity in airports. Without guidance and support, airport leaders have been left in the dark as to what they should do.
This is now being addressed through the Networks and Information Systems (NIS) Directive, which offers a framework for an international standard of cybersecurity in airports. This is a start, but its successful adoption within each airport will depend on its leadership having the authority to drive any recommendations to the heart of their operations.
Here, again, good cybersecurity comes back to people. NIS will support the standardization of responses to cybersecurity challenges and encourage secure-by-design approaches, but the fact remains that people need leadership – not more technology or regulations – to ensure effective defences against attacks.
This means that airport leaders need to step up and take responsibility for managing the human element of cybersecurity and recognize that this will become more important as their airports become ever more complex and increasingly technology-driven.
For more information about PA Consulting’s work in this space, visit: www.paconsulting.com
David Oliver leads PA Consulting’s work on transport security. He helps organizations across multiple modes improve the security of their operations. Oliver is the author of PA’s recent report on aviation cybersecurity, Overcome the Silent Threat.