Jake Olcott, VP of Government Affairs, BitSight, discusses worrying cybersecurity levels in the World’s major airports
A new study has exposed what it describes as ‘glaring gaps’ in the cybersecurity posture of many of the world’s largest airports, with the authors saying that ‘movie-level’ cyber-attacks are now easier to orchestrate than ever, and from anywhere in the world.
The report, State of Cybersecurity at Top 100 Global Airports, finds that all but three of the world’s biggest airports have an alarming lack of systems in place to protect their websites, mobile applications, and public clouds.
Airports receive bad grades for website, mobile app, cloud, and data protection
Digging deeper into the report reveals that dozens of airports failed to make the grade for website security, with only three receiving an A+ grade. Worse, nearly one in four received an F grade due to their use of outdated software, including content management systems (CMS) like WordPress that have known and exploitable security vulnerabilities. These vulnerabilities are also prevalent across 24% of airport websites, while nearly 25% of those sites lack SSL encryption or use the now-obsolete SSLv3.
The security posture of airport mobile apps (used to enhance passenger engagement and experience) is even worse. For the 36 apps examined, researchers uncovered more than 500 security and privacy issues and 288 mobile security flaws — an average of 15 per application. Meanwhile, 34% of those apps lack encryption of outgoing traffic, putting personal and financial customer data at risk.
Indeed, data loss emerged as a significant finding, with 66 of the top 100 airports flagged for having data — such as IDs, financial records, and passwords for production systems — exposed on the Dark Web as a result of a data breach. Many of these leaks originated on public code repositories used by application developers.
Finally, the report finds that some airports (3%) are not doing enough to protect cloud environments that host sensitive data.
Why airport cybersecurity matters
Traditionally, airport security is invariably associated with passenger screening, bag checks, and long lines. But airport operators and passengers should also care about and demand stringent cybersecurity measures at the airports they travel through.
Millions of people and organisations entrust their data to international airports each day. This makes airports attractive to cybercriminals who may consider attacking vulnerable systems to target travellers, cargo traffic, or disrupt critical national infrastructure.
How to reduce cyber risk
To reduce the risk of cyber-attacks within any airport environment, cybersecurity leaders must first understand their organisation’s risk surface. Only then can they make decisions about which controls to implement and where to allocate their limited resources to secure their valuable assets from threats.
We recommend that airport cybersecurity teams run continuous discovery programs and perform constant inventories of their digital assets. In doing so, they can gain visibility into risk exposure from outdated software, known and unknown vulnerabilities, misconfigured systems, undetected malware, and unsecured access points — across web assets, clouds, and on-site systems.
Airport security administrators need a system in place, in which they can continuously monitor, measure, and communicate the efficacy of the cybersecurity controls they have in place. This will enable them to shine a light on cyber risk; and see what assets they have in the cloud and how they’re configured.
Cybersecurity teams must also look beyond the perimeters of their own IT infrastructure. In today’s increasingly interconnected world, threat actors often exploit third, fourth, and even nth parties to launch their attacks. Therefore, it’s vital that airport cybersecurity teams conduct in-depth audits of their vendors and suppliers — and implement a third-party risk management solution that goes beyond paper-based questionnaires to immediately expose the riskiest cyber issues within the supply chain.
Using third-party risk monitoring tools, security administrators can immediately identify threats within their supply chains, target resources at vendors who have the highest level of cyber risk, reduce the time it takes to complete cybersecurity assessments, and work with vendors to close gaps in their security programs. This can be achieved quickly and at scale, using the resources many airport cybersecurity teams already have today.
Protecting travellers’ sensitive data
Unlike in the movies, it only takes a single industrious attacker to do significant damage in our nation’s airports. Unfortunately, it doesn’t appear that many of those airports are prepared for this new reality.
Today’s airport cybersecurity teams must do everything they can to protect their travellers’ sensitive data by quickly identifying and patching vulnerabilities and flaws. Of course, that takes more than just traditional firewalls. It takes a rigorous and ongoing approach to cybersecurity.