Looking retrospectively over past events happening all over the globe, it is very likely to reach an overall agreement that security, generally speaking, is a serious matter and should be taken very much into consideration in many, if not all, activities performed as simple individuals, industry experts, government officials, and so on. However, the importance of security becomes fundamental, when looking at it through the lens of Critical Infrastructures (CI).

Within the CI domain, there are several types of institutions including from multiple sectors: energy sector (e.g., power plants), communications sector (e.g., telecommunication companies), health sector (e.g., hospitals), transportation sector (e.g., airports), just to name some. It is relatively easy to spot that the common denominator across these sectors and their associated infrastructures is their involvement in our day-to-day lives and the highly potential of having a negative impact on society, if things turn out bad in some scenario cases. Therefore, ensuring their protection and resilience – especially in tough times – is necessary to sustain our viable and healthy society.

In the light of recent events in Eastern Europe, it became clearer that security of Critical Infrastructures is not a matter of the future, but a matter of the present, a need for societies to defend against physical perpetrators and cyber attackers. Focusing on each individual sector, certain particularities and differences appear on the horizon. Therefore, to make the present discussion as effective as possible, the scope will be narrowed down the focus to only one CI type from the aviation industry, more specifically, the airports.

Airports are incredibly fascinating and complex infrastructures within the transportation domain. They allow tens of millions of passengers to transit across their premises and buildings every single year to embark on their leisure or business journeys, while at the same time ensuring that all processes behind the curtains are running as smoothly and effectively as possible and with a very high degree of safety and security. However, the airports as known today have not been the same in the previous decades, especially with regards to security. Certain tragic events at the beginning of this century (e.g. the 9/11 terrorist attack) have helped to determine the shape of the current airport security processes.

At the same time, evolution did not happen only for the airport’s security measures, but also for the technology that presents itself as basis for the airport’s Information Technology (IT) systems, Operational Technology (OT) systems, airport management systems and others. This went hand in hand with widening the landscape of used applications and utilised technologies and hence induced also a widened attack surface where potential attackers can try out themselves. Therefore, as in the present, threats do not come anymore from just the physical world, but also from the technological world. This means, that airports’ security matters require a holistic approach in which security is not just a “one-time deal”, but a recurrent and evolving process to face current and future threats. Also, the viewpoint from which the threats are considered needs to be multi-focal accommodating both physical and cyber threats, as well as the so called hybrid threats. Based on these aforementioned requirements, five good practices can be identified which should be taken into consideration to maintain or increase the overall airports’ security level.

1. Cyber-Physical Risk Assessment

Risk assessments are frequently used in critical infrastructure protection, but not only in such cases. They are processes used to determine the likelihood and the impact certain threats and events can have upon an asset, and if the combination of impact and likelihood is not acceptable to the enterprise, the risk needs to be lowered to an acceptable level through different means. Risk assessments have been known also as a core part when companies want to implement a Safety Management System (SMS) and/or Security Management System (SeMS).

Risk assessment, within a security context, can address both the physical security threats and the cybersecurity threats. However, as a good practice, the EU-CIP consortium also deems the consideration of cyber-physical threats as important. This type of threats can be understood as the combination between cyber and physical threats where the individual physical or cyber threats do not present significant risks to the asset in scope, but their mixture does. This situation can appear because certain physical security mechanisms can be bypassed by a cyber-attack, while also cyber protection mechanisms can be bypassed by physical attacks. As a good practice, by considering also cyber-physical threats, the security risk assessment conducted could potentially provide more insights and a more complete security picture over the assets involved.

2. Information Technology (IT) and Operational Technology (OT) Security Synergies

Airports’ system infrastructure has been continuously developing for the past few decades. New technologies (mainly IT-based) to which airport’s passengers are exposed, such as self-check-in stands or Automated Border Control (ABC) systems, can be found currently in many airports around the globe. At the same time, “behind the curtain” through which passengers do not have access, many airports have modernized their industrial operation systems (hence OT), such as Baggage Handling Systems (BHS) with smart sensors and control systems to allow better time efficiency and accuracy when handling passengers’ luggage.

These technological advancements within the airports’ infrastructures brought many benefits, but at the same time some drawbacks. For instance, having the BHS more automated than before brings certain advantages by allowing the machines to carry the heavy load more efficiently, but it unfortunately also increases the attack surface for the airport as systems never intended to be connected to the internet are now connected. In general, the systems architecture of airports is of very high complexity and interconnectivity, and therefore, more difficult to protect than one of a normal enterprise.

As a good practice, when handling the cyber and physical security of IT and OT systems, the interconnection between the two domains should be very much taken into consideration to avoid cascading effects from one domain to another, as well as allowing attackers to pivot and influence one domain from the other.

3. Enhanced Airport Crisis Management

Crisis management represents a critical part of the airports’ operations which comes into action to respond to, solve and mitigate escalated issues which, for example, could put the life of passengers and staff at risk. With respect to security crises, one good practice the airports can implement is to have a designated team of specialists onsite or remote which can deal with attacks on security of people and digital systems. Such a team can be part of a Holistic Security Operations Centre (HSOC) which, apart from detecting the physical or cyber intrusions, could work in conjunction with the Airport Operations Centre (AOC) to communicate and coordinate with both internal and external stakeholders.

4. Compliance with Security Standard

Compliance with security standards is generally recommended for all sort of enterprises, especially Critical Infrastructures. In the case of airports, it can be considered as a good practice to comply to one or more of the following standards (the list is not meant to be exhaustive):

Cybersecurity related standards and best practices:

• Securing Smart Airports (report published by ENISA);
• NIST framework for improving Critical Infrastructure CyberSecurity;
• ISO/IEC 27001:2013 Information Technology;
• ISO 31000:2018 Risk management – Guidelines;
• ISO/IEC 27005:2018 Information technology, security techniques, information security risk management;
• ISO/IEC 27002:2013 Information technology, security techniques, code of practice for information security controls.

Cybersecurity related regulations:

• EU NIS Directive 2016, EU NIS 2 Directive (6) under review proposal of 16.12.2020).

Physical security related regulations, standards, best practices and recommendations:

• ICAO Annex 17 “Security”;
• ICAO Annex 9 “Facilitation”;
• ICAO Annex 10 “Aeronautical Telecommunications”;
• ICAO Annex 11 “Air Traffic Services”;
• ICAO Annex 14 “Aerodromes”;
• ICAO Annex 18 “The Safe Transport of Dangerous Goods by Air”;
• European Commission Implementing Regulation on Aviation Security (EU) 2019/1583 (7);
• EU Regulation 300/2008 Annex: Common basic standards for safeguarding civil aviation against acts of unlawful interference;
• National Civil Aviation Security Regulation and Security Technical Directives;
• National Civil Aviation Training Program;
• National Civil Aviation Security Audits and Inspections;
• Airport Security Program.

5. Defence in Depth - Security Approach

Defence in Depth (DiD) has commonly originated as a philosophical approach to safety, which implies redundancy on multiple levels with the goal of minimizing impact of an adverse event. In security, the DiD methodology does not indicate a 1:1 relationship between the security controls and a specific risk, but rather a holistic approach to protect all assets through multiple layers of defence, which can be: physical (e.g., security guards), technical (e.g., Intrusion Detection and Prevention Systems) or administrative (security policies and procedures). Therefore, adopting such a multi-layered defence approach for airports can be considered a security good practice.

The aforementioned 5 good practice are meant to enhance the security within the critical infrastructure’s premises, having the ultimate goal of preserving the safety and well-being of the passengers that transit through airports towards their final destination. If not already implemented, the EU-CIP consortium strongly recommends to at least consider following them in the pursue of upgrading the airports’ security level.

DLR, April 2023