The airport environment poses some unique challenges for cybersecurity. Operational efficiencies demand that dozens of stakeholders work effectively together to deliver a seamless service to the travelling public. This is especially true in today’s world of COVID-19 impacts and concerns.
In airports, the interface points between the stakeholders can become extremely complex, and there is rarely a single point of oversight for all the information being exchanged. It’s more of a “supply-mesh” than a traditional “supply-chain”.
We are already seeing the challenges caused by COVID-19 being abused by cyber attackers – either by using it as an enticement to click on links (with messages like “5 tips to protect yourself against coronavirus”), or by attacking stressed institutions in the logic that they’d be more likely to pay ransoms as a quick way to make the new problem go away. The complexities of airport supply chains mean careful management is needed to control the exposure of the entire operation against the compromise of a single party.
The information machine
Modern airports are increasingly data driven, with a huge range of information flowing between partners and supported by many interconnected systems, themselves managed by different parties. Operationally, we aim for an environment where the information that is needed is available instantly – both for the public and the partners that need to work together. When this works 99% of the time, people start to forget just how dependent they are on the smooth running of this information exchange.
Egis runs airports across the world and as a result works with a wide range of suppliers. One thing common to all its airports is the complexity of managing the relationships and information sharing (including security) with so many operational partners. It gives us unique insights into the challenges faced by our customers and additional hands on experience of helping to resolve them.
Like any well-oiled machine, there’s a high dependency on all the cogs turning in exactly the right way. The bigger the machine, the more cogs there are and the more critical it becomes that the system is cared for and protected against faults, damage and disruption.
The organic growth of airport environments, with no central architect or responsible body, means that there may not be a complete picture of information flows, or a clear point of responsibility for securing the information. When dealing with security in a multi-stakeholder environment, there is always a risk that there may be overlaps, and also gaps in how information and cybersecurity is managed.
Handling the ‘supply mesh’
Faced with the possibility of multi-stakeholder interfaces, most organisations try and restructure to simplify and avoid the challenges that they bring. This is not a realistic option in airport operations – a linear approach would add unaffordable overheads and hierarchies and make it hard to maintain the efficiencies that have been developed over the years.
The good news (and there isn’t much of it around these days) is that serious thought has been given to this problem already – and it’s even in an aviation context! The EUROCAE ED-201 standard has sadly not been widely used up until now, but it introduces the concept of “External Agreements” – multi-lateral arrangements aimed at agreeing how information relating to security risks can be shared for the greater good.
The idea behind “External Agreements” is that stakeholders find a common standard for managing information security between themselves – it avoids the traditional need for centralised security management, and instead allows each organisation to manage security in an appropriate way for themselves. By laying out a security approach which fundamentally acknowledges there will be many stakeholder interfaces, it helps all parties express their expectations and requirements on others – and also helps highlight where those gaps might exist.
Helping shape the future
When it was published in 2015, ED-201 was state of the art. However, the world keeps turning, and with it comes a need to revisit and refine standards. The development team behind ED-201 are currently finalising a revision which refines the approach based on real-world experience of External Agreements.
ED-201 revision A is due to enter Open Consultation later in 2020 and will be a joint standard between EUROCAE in Europe and RTCA in the USA. The standard is also being supported by EASA and is expected to form an Acceptable Means of Compliance to future regulation within Europe – an indication that the information sharing it defines is considered “best practice” by the Aviation Safety Regulator.
A key part of improving standards comes from review and input from the expected end users. There is a fantastic opportunity for the Airports community to help shape a tool which is designed to control and manage the information and cybersecurity challenges which result from the complex stakeholder environments we have today.
Involvement in the ED-201A development is available to all EUROCAE and RTCA full member organisations, with many airports already being members. During the Open Consultation stage the document will also be available for comments from non-members.
Best practice guidance
Back in 2018, Egis and Professor Chris Johnson from the University of Glasgow were commissioned by the UK Department for Transport to analyse the dependencies of UK airports and airlines on common data systems and services, and the impact of their loss or compromise. The resulting report on Supply Chain Security in the Aviation Industry looked at data flows, critical dependencies and good practice. It is as relevant today as it was when first published in December 2018, but the nature of cyber-attacks is constantly evolving and as we can already see, attackers will try to use even unforeseen global events to their advantage.
We often say that a chain is only as strong as its weakest link and focus on protecting ourselves from the weaker links. In the ‘supply-mesh’ environment the focus needs rather to be on creating stronger links overall. It requires agreement and collaboration, and a recognition that by working together our cyber defences are far more effective than when working apart.