Search
Article

Best practices can help airports mitigate growing vendor and third-party cybersecurity risk

18th March 2021

Introduction

Technological advances over the last decade have benefitted myriad market sectors, including the aviation industry. Today’s airports employ technology to operate around the clock, meet travelers’ evolving needs, and keep travelers, staff and operations safe.

Threats to the safe, secure use of technology have evolved just as quickly. Cyber-attackers are becoming increasingly sophisticated, moving from one industry to another as businesses and entire markets assess and shore up their vulnerabilities. Cyber-attackers also are constantly changing their tactics as new vulnerabilities arise. When one route of access is blocked, they look for others.

In recent years, cyber-attackers have begun targeting vendors and third parties that businesses rely upon to operate and serve their customers. Cyber-attackers have preyed upon vendors’ cyber weaknesses to gain access to the systems of hospitals, banks and financial services firms, major retailers, utilities, transportation systems and water treatment plants and other critical infrastructure.

Airports are no exception. They accommodate thousands of travelers per day, employ thousands more in jobs of every level, and are vital to the economic well-being of the cities and regions in which they operate. While technology has played a central role in airports’ success, it also has opened up new areas of risk, especially when airports use outside vendors or third parties to perform certain functions or manage certain systems. And, while airports’ security controls may be well hardened, those of their vendors may be more easily breached, leaving airports around the world scrambling to find ways to simultaneously embrace technological innovation while ensuring that doing so doesn’t expose them to new, unanticipated risks. It’s a balancing act that isn’t easy, but is achievable through careful planning, objective monitoring and diligent management.

Section 1 –Growing Cybersecurity Risks for Airports

1.1         Brief History of Airport Security and Cybersecurity

The history of air travel has gone through many ebbs and flows over the past several decades. From the 1960s through late 1980s, travel was considered an elite experience, geared toward high-paid executives who required comfort and posh amenities while traveling for business around the globe. In the 1990s and early 2000s, travel became more of a commodity, and airlines scaled back services to maintain profitability and survive in an increasingly competitive market. The past decade has seen the emergence of myriad technologies to make travel and airport operations safer, more efficient and more responsive to travelers’ changing needs. Advances such as in-flight Wi-Fi and mobile devices have helped to make travel more enjoyable. The flight planning experience has also improved greatly. Travelers can book flights efficiently, find the best deals with price-scanning websites, arrange for transport to and from airports, reserve parking, and reduce their time passing through security check points by signing up for advanced screening memberships. Technological advances at today’s airports originated and gained momentum in the 1980s, when airlines and ground handlers began sharing resources to create efficiencies and reduce costs. Airports began implementing Common Use Terminal Equipment (CUTE), which allowed for the maximum use of limited space for check-in-counters, baggage handling and passenger movement through the terminals. In the early 2000s, airports became even more efficient, streamlining passenger check-in by installing self-service kiosks. These kiosks not only made the passenger check-in process more efficient; they also helped to reduce labor costs.

Resource-sharing within airports continued with the development of the Common Use Passenger System (CUPPS), which was designed to efficiently incorporate new technologies and allowed airlines, service providers and other stakeholders to share physical resources on and off the airport grounds. The resource-sharing that CUPPS enabled then paved the way for broader sharing of technology and services, which airports readily embraced and implemented throughout their operations. Today, airports have moved into the world of the “Internet of Things (IoT),” where almost every component of their infrastructure and operations is tied to technology and the internet.

The aviation and travel industries were severely disrupted in 2020 by the COVID-19 pandemic. After several years of rapidly advancing technologies to improve the traveler experience and increase airport efficiencies to handle peak demands, travel was brought to a near standstill and is likely not going to return to 2019 volume levels for some time. However, the need for technological advances will continue to increase as the demand for new, safer methods to move travelers and their cargo through airports rises.

1.2         Recent Cybersecurity Attacks on Airports

According to published news reports, the Albany International Airport in Albany, New York was the victim of a cyber-attack on December 25, 2019 that involved the deployment of ransomware on the airport’s systems. Ransomware is the leading method of cyber-attack, whereby attackers obtain access to a victim’s computer files and systems, and often encrypt or block access, until a ransom fee is paid. In this case, the attackers targeted the servers of LogicalNet, a Schenectady, New York IT firm that the airport had retained for computer management services. The servers that were encrypted contained archival airport data, including legal, administrative and HR files.

After learning of the attack, airport officials contacted the New York State Cyber Command and the FBI, and the airport was able to maintain operations without interruption. Fortunately, a forensic investigation concluded that no consumer information was compromised. However, the airport did pay the attackers a ransom to unlock the impacted servers. The payment, reportedly less than six figures, was paid via Bitcoin to a Russian attacker known as Sodinokibi. Albany Airport and LogicalNet disagreed on who was a fault for the vulnerability that led to the attack, and the airport terminated LogicalNet’s contract and retained the services of another vendor.  (More information on the cyber-attack can be found here:  https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php)

In April 2020, the San Francisco International Airport (SFO) confirmed that cyber-attackers managed to hack into its systems, compromise two of its websites and steal users’ Windows login credentials a month earlier. According to the data breach notice, (NOTICE OF DATA BREACH: March 2020 | SFO Connect), the airport’s two websites, SFOConnect.com and SFOConstruction.com, were attacked in March 2020, when cyber-attackers managed to inject malicious code that enabled them to steal users’ login credentials. According to the breach notice, the attackers targeted those who were accessing the website from outside the airport’s network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO. Compromising access credentials is essentially “stealing the keys.” An attacker may access a system with a specific target in mind, or may simply be treasure-hunting. Often, an attacker steals credentials and then inputs those credentials into an automated tool that tries those credentials on financial services websites to gain access. Notably, if victims use the same usernames and passwords for their online bank account, the attackers will gain access to those as well.

Websites that are linked to the World Wide Web (those with a “www” prefix)” often are the easiest to attack. Those with several application integration points, or places at which two distinct computer systems can interact, are particularly vulnerable.

On January 29, 2020, IMMuniWeb, a global application security company based in Geneva, Switzerland, released its “State of Cybersecurity at Top 100 Global Airports.”  The report showed that 97 out of 100 of the world’s largest airports have security risks related to vulnerable web and mobile applications, including misconfigured public cloud usage, exposures to the Dark Web, or penetrations of code repositories. IMMuniWeb’s full report can be found here: State of Cybersecurity at Top 100 Global Airports | ImmuniWeb Security Blog

1.3         Cyber Threat Landscape

The cyber threat landscape is primarily comprised of threat-actors, vulnerabilities, and attack points. Threat-actors include nation states, “hacktivists,” criminal organizations, terrorists, competitors, and malicious or negligent employee or other insiders.

Vulnerabilities are weakness that threat-actors will seek out and try to compromise. Vulnerabilities can be computer system weaknesses including a lack of patching or outdated software, poor access controls such as weak passwords and not using multi-factor authentication, and poor end-user knowledge.

Attack points are the number of targets a threat actor can comprise to expose risk. The more connection points, applications, devices, users, vendors and third parties being used, the higher the likelihood that a threat-actor will expose—and exploit—a vulnerability.

Motivated attackers will try various methods to achieve their mission. Understanding your organization’s threat landscape is critical to reducing your cyber-risk. It is also crucial to understand that, when engaging with vendors and third parties, their threat landscapes becomes part of yours.

1.4         Overview of Third-Party / Vendor (Supply Chain) Risks

The proliferation of technology and adoption of the Internet of Things has greatly enhanced the travel experience for passengers, as well as airlines’ and airports’ operations and profitability. But, airports haven’t achieved these improvements in a vacuum. Ensuring a modern and efficient ecosystem requires the involvement of multiple stakeholders (airports, airlines, passengers, local and national governments, etc.) working in collaboration with numerous vendors and third-party suppliers.

Vendors and third parties are engaged, and their technological advancements are employed, to support every aspect of the airport ecosystem, including air traffic systems, passenger ticketing and baggage handling, transport systems, parking management, communications, security, concessions, and payment systems, among others. While all of these technological components increase airport efficiency, they also increase risk. Cyber-attackers are perpetually looking for new vulnerabilities to compromise, as well as security vulnerabilities and weaknesses in those vulnerabilities that will allow them access sensitive data, key systems, and business processes. The more vendors and third parties that are used, the more potential there is for attackers to find a way into an airport’s data and systems. Tremendous amounts of data flows through these technology mediums. For passengers, this data includes their personally identifiable information (PII), credit card and payment information, ground transportation, and cargo movement details. Airport data includes facility access controls, utility control systems (air conditioning, heating, lighting, water, etc.), air traffic command systems, fuel transportation, flight information display systems (FIDS) and staff communications. Unauthorized access to, or malicious use of, this data can be catastrophic.

It’s important to note that today’s technology solutions are provided by companies of all shapes and sizes. There are very large players, such as Microsoft, CISCO, Amazon and Google, which provide operating systems, network connectivity and Cloud services. Notably, while these companies have very robust security programs, they are not beyond compromise. (Also, in many cases, the airport is responsible for “hardening” the systems configurations to boost security beyond the standard levels set at implementation.)

Smaller companies also are key players in the technology ecosystem, and are typically involved in providing “specialty and emerging technology” solutions. These solutions include Artificial Intelligence, digital payment systems, biometrics, and custom applications, among others. While smaller companies may not possess the capital and resources of their larger counterparts, their size doesn’t necessarily make them or their products more vulnerable to cyber-attacks.

Typically, airports employ a variety of technological tools from both large and small vendors. However, each of these technologies needs to “talk” to the others to achieve peak value and optimization. While this interconnectedness is vital, it also increases both overall complexity and the likelihood of vulnerabilities and weaknesses, which, in turn, increases risk. Since large and small companies will have varying levels of security controls, and all must be risk-rated and vetted accordingly.

Section 2 –Managing and Mitigating Risks

Risk management of vendors and third parties is essential, but can involve significant effort. Organizations often like to think that outsourcing services and technology tools effectively transfers risk while reducing functions they must perform or manage directly. However, this is not the reality. Turning over management and control of vital technologies to a third party reduces airports’ ability to foresee and remediate potential challenges and increases their overall risk. It is essential, therefore, that airports establish and maintain comprehensive vendor and third-party risk management programs to complement their outsourcing programs.

2.1         Best Practices

Vendor and third-party risk management programs must start with a solid policy and supporting procedures. The policy must identify how an organization will assess, manage, monitor, remediate and, in some cases, accept risks. Since all vendors and third parties aren’t equal in terms of their security protocols, the airport’s risk management policy must outline how it will risk-rate its vendors. Traditional “High,” “Medium,” and “Low” risk categories are standard. These categories also can be expanded to included “Extreme” and “Insignificant,” and the range of categories typically depends on the quantity of vendors and third parties to be managed. The formula for risk-rating vendors has many components, but the heaviest weighting comes from two categories:  1) What is the vendor or third party’s access to the organization’s most sensitive data, key systems and business processes?  The more access, the higher the risk. 2) What is the maturity level of the vendor or third party?  Maturity is a reflection of several characteristics, including the length of time the vendor has been in business, its size, and the history of the product or service it offers.

Generally, the more mature a company is in these categories, the more secure they’re likely to be. However, those criteria are never a guarantee, and many additional factors need to be considered. For instance, a company may have been in existence for many years, but has it kept up on its security investments?  The assessment also should cover such key questions as: 1) how does the company perform its own internal risk assessments, 2) what does its employee training program entail, 3) what are its cyber-incident response and business continuity plans, as well as recovery plans, and 4) how does it manage its own vendor and third-party risk?  (Which, essentially, becomes a “fourth-party” risk for the airport.)

Risk assessments also should encompass reviewing the company’s financial posture, reputation, and compliance with laws and regulations. It also may be prudent to request a copy of the company’s cyber- and information-security policies and procedures to gain a clearer sense of the company’s overall program. On-site visits also may be a good idea, especially if the company is providing data-hosting services.

Often, a leading question for a vendor and third-party risk assessment is “Does the company have any third-party attestations?  The most common third-party attestation is a System and Organization Controls (SOC) report. There are several types of SOC reports. An “SOC 1 Type 1” report is an independent snapshot of the company’s control landscape on a given day, and focuses on financial controls. An “SOC 1 Type 2” report adds an historical element, showing how controls were managed over time. SOC 1 reports have evolved from earlier attestations established by the American Institute of Certified Public Accounts (AICPA) Auditing Standards Board.

The AICPA also has developed an SOC 2 report, which focuses on a company’s internal controls for cyber- and information-security, availability, processing integrity, confidentiality and privacy. These SOC 2 reports have become standard for assessing cyber- and information-security. They are provided by accounting firms and their cost can be significant. So, companies that have them performed (which should be annually) are demonstrating a solid commitment to having a strong cyber- and information-security program. Notably, if a vendor or third party provides a SOC 2, it should not be used to simply “check the box;” and should be carefully reviewed, as these reports may provide valuable insights into a company’s weaknesses. It also is helpful to be aware of the company providing the SOC report and know whether or not the firm is reputable.

It is important to note that the world and variations of independent attestations continues to evolve. Effective vendor and third-party risk management policies should contain guidelines on reporting, what is standard in the industry and tools to continually monitor the industry for changes.

2.2         Regulations

Vendor and third-party risk management programs are not only sound business practice; they also are required in nearly every industry. Regulations span a wide range of authoritative bodies, and some have been around for more than a century. Other regulations are more recent, and newer ones are on the horizon. The 1863 False Claims Act, which predates almost every technology in use today, has broad implications for cybersecurity. The False Claims Act is a whistle-blower law enacted to identify fraud perpetrated against the US government. The Act also allows any person to sue an entity that has committed fraud against the US government. The plaintiff bringing the suit is eligible to receive a percentage of the successful settlement and protection from retaliation by the defendant, including being fired.

Despite its age, the False Claims Act continues to be highly relevant today. Two recent False Claims Act cases highlight both vendors and their cybersecurity responsibilities:

In July 2019, Cisco Systems settled a claim brought by a whistle-blower, alleging that it had knowingly sold video surveillance software with vulnerabilities to various governments. Cisco’s settlement of the case constituted the first pay-out related to cybersecurity standards under the False Claims Act. Whistle-blower James Glenn, who worked for a Danish firm that was a Cisco vendor, had brought the suit eight years earlier, in 2011. In it, he alleged that Cisco’s product was vulnerable to hacking and could enable cyber-criminals to gain administrative control of an entire network. Glenn alleged that he had warned Cisco about the flaw, but said the company did nothing to correct it. Notably, Cisco acquired the firm that made the video surveillance software—and upgraded it—two years after Glenn brought his suit. Before selling the software to Cisco, the company had sold it to such clients as the Washington DC Police Department, Los Angeles International Airport and the US military. In total, the case listed 15 buyers at the state level, plus the federal government. (More information on the case can be found at:  https://www.reuters.com/article/us-cisco-systems-claim/cisco-whistleblower-gets-first-false-claims-payout-over-cybersecurity-idUSKCN1UQ2W2 and https://apnews.com/article/2e56253a512a4622997e8b6e9b1d0e9b)

A second case was filed in California by a whistle-blower on behalf of NASA and the Department of Defense against Aerojet Rocketdyne Holdings, Inc. The whistle-blower, a former employee of the Aerojet Rocketdyne’s cybersecurity department, alleged that the company committee fraud when it entered into federal contracts despite not meeting cybersecurity requirements with which government contractors must comply. Aerojet Rocketdyne maintained that it had informed the government of its non-compliance, and asked the United States District Court for the Eastern District of California to dismiss the case. In May 2019, the Court rebuffed Aerojet Rocketdyne’s motion to dismiss, which, in effect, upheld the argument that a government contractor can face FCA claims if it falsely implies certifications of compliance with federal cybersecurity regulations—even if it had disclosed non-compliance to the agency. Although the US District Court ruling did not assign liability, it did open the door for future FCA litigation based on implied cybersecurity certifications. (More information on the case can be found at: https://resources.infosecinstitute.com/topic/the-false-claims-act-and-cybersecurity-are-third-party-vendors-putting-you-at-risk/ and https://news.bloombergtax.com/coronavirus/aerojet-rocketdyne-must-face-allegations-of-lax-cyber-compliance?context=article-related)

Data privacy is another element of cyber-security involving vendor and third parties that is highly scrutinized and strictly regulated. In May 2018, the European Union implemented the General Data Protection Regulation (GDPR), which changed the general concept of data privacy with articles on Data Subject Rights (DSR). The DSR component of the GDPR grants specific rights to individuals whose personally identifiable information (PII) is being collected, used, stored and shared. The DSR articles also empower those individuals to exercise those rights, which include the right to be informed, the right of access, the right of recertification, the right to erasure, the right to restrict processing, the right to data portability and the right to object, as well as rights related to automated decision-making and profiling. Any organization that handles the PII of European citizens must comply with the GDPR and, if an individual exercises a DSR, the data collector must comply in a timely manner and promptly provide notice of that compliance to the individual.

The GDPR has become standard for the global privacy regulations, and other jurisdictions have followed. In the US, the State of California has implemented a new privacy law, the California Consumer Privacy Act (CCPA), and New York has the “New York Privacy Act.”  Every state in the US and most countries have some level of privacy regulation, and all have some form of breach notification requirement. These requirements can be very costly and time-consuming, and fines for non-compliance can be steep. Emerging privacy regulations mandate that firms which receive, share and outsource PII-processing to vendors and third parties must ensure that those vendors and third parties are compliant with the regulation.

Another new regulation that will impact airports is the “Internet of Things” (IoT) Cybersecurity Improvement Act of 2020, which was passed by the United States Congress on December 4, 2020. This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specific steps to increase cybersecurity for IoT devices.

The Internet of Things (IoT) is the network of physical objects, or “things,” that are embedded with sensors, software and other technologies which connect to the internet and allow the exchange of data and information. IoT devices include a vast number of consumer, enterprise and industrial sensors and everyday objects. The most common IoT devices are cell phones, tables, watches and computers, which are used by people to connect and share their data. Common IoT devices in airports include traveler information systems, traveler traffic monitoring, baggage systems, communication devices, cameras, and facilities management controls.

The IoT Improvement Act requires NIST to develop and publish standards and guidelines on behalf of the federal government regarding the appropriate use and management of IoT devices that are owned and controlled by government agencies. As is the case with most cybersecurity regulations, the requirements will likely soon filter down to best practices for commercial projects in the private sector.

As new technologies arise, they also will be subject to specific regulations based on their use and implementation. Technologies that collect, use and store PII will be particularly scrutinized. Biometrics, which are being used with increasing frequency at airports, is a good example of technology driving regulation. Health and safety concerns are pushing for more “touchless” facial recognition and eye retina-reading systems to be implemented. Several states already have enacted regulations regarding the proper use of biometric data, and others are expected to regulate the technology soon.

2.3         Industry Guidelines

The quickly evolving nature of both the technologies and their regulation means that airports and their vendors need to stay on top of both cybersecurity and privacy regulations, including those that are current and those on the horizon.

Industry organizations can help. The International Air Transport Association (IATA), which represents, leads and serves the airline industry, provides the civil aviation industry with valuable guidance and the latest updates on cybersecurity standards and regulations. The IATA’s latest report, published in January 2021, includes crucial cybersecurity developments as well as links to knowledge centers of some of the world’s leading industry watchdogs. The report can be found here: Compilation of Cyber Security Regulations, Standards, Guidance for Civil Aviation.

Once areas of potential weakness are identified, they should be prioritized for mitigation based upon the level of threat they present and possible ramifications, with threats that can affect the entire airport or large portions of its operations at the top of the remediation list.

2.4         Risk Management Tools

Once vendor and third-party risk management policies and procedures are established, the most important element is assessing and managing the risk. As discussed earlier, an airport relies on hundreds, if not thousands, of vendors to operate and serve its customers. Potential vendors should be required to have established, “mature” cybersecurity plans in place and show that those plans meet industry standards and, ideally, have been reviewed and certified by a reputable external auditor.

Vendors also should be required to formally attest to the maturity of their cyber-protections before contracts are signed, and be willing police themselves and make similar attestations at specific intervals throughout the life of their contracts, as well as allowing a “right-to-audit” by the customer.

Airports themselves also should employ their own vendor controls, including systems for risk-rating, due diligence, on-boarding, continuous monitoring and off-boarding. Managing these activities and processes is far from easy, however, and the days of tracking activities with spreadsheets and shared document drives are long past.

Employing advanced management tools can help. In fact, there is an emerging category of vendor and third-party risk management software programs on the market, with a wide range of capabilities and features. (Notably, these additional vendors also need to undergo the same scrutiny as everyone else.)

In most cases, one solution alone may not be enough. Prudent airports should begin by developing a list of requirements and conduct a thorough evaluation of the solution(s) that best suit their needs. This evaluation should encompass a detailed outline of all the airport’s requirements, as well as its budget, resources, and capabilities.

Governance, Risk and Compliance (GRC) software is a valuable foundational tool for managing vendor and third-party risk. GRC programs are highly customizable, and are designed to manage, monitor, track, review and report on compliance with established policies and procedures.

Risk Assessment tools also can be vital to managing vendor and third-party risk. These tools assess risk based on a vendor’s product or services and its risk rating. They do, however, require the robust collection of key data. Once this data is entered and assimilated, risk assessment tools can produce a host of illuminating risk information. Consistent, thorough review of this information is essential.

Monitoring software is a newer tool that boosts vendor and third-party risk management by complementing existing processes. Monitoring programs oversee internet-facing IP addresses and domains to evaluate the performance of specific security controls. They also monitor public information for reports of data breaches, as well as the “dark web” for threat-related chatter by nefarious characters.

Training can be an invaluable tool in on-boarding new vendors and in managing overall vendor risk. Training can be easily tailored to meet each group’s specific needs and place in the airport ecosystem, can be accomplished virtually or in-person, can be ongoing and offered as often as an airport deems appropriate, and can be easily updated as new technologies—and new risks—emerge. The Chief Information Security Officer, (CISO) who’s primary role is to monitor and manage cybersecurity for the entire airport, plays a key role in managing vendor and third-party cyber-risk. They oversee the entire risk management spectrum and the respective vendors and third parties, from assessment, implementation, management, and termination. Depending on the size of the airport, a CISO might have a sizable team, or in many cases leverages third-party service providers for specific subject matter expertise.

Conclusion

Technological advances and the integration of emerging solutions within airports’ infrastructure and their ecosystems are moving at a rapid pace. Consumers will continue to demand more services and safety improvements throughout their travel experiences. To successfully deliver on both, airports will need a multitude of vendors and third parties, which, in turn, cultivates a prime target for cyber-attackers.

Cyber-attackers aren’t going away. Cybercrime is a huge, growing and increasingly sophisticated business, with no end in sight. In addition, there is no single “silver bullet” that will eliminate all vendor and third-party risks. To effectively manage and minimize risk, airports must establish and maintain—and continually improve—a comprehensive program that manages risk at all levels and at all touch points. This is not an easy task, but it is achievable. Given the nature of an airport’s operations, its place in its community and the local economy, and the number of people who pass through it every day, failure cannot be an option.


ABOUT THE AUTHOR

Michael Corcione is a Partner at HKA Global, Inc., which provides multi-disciplinary risk mitigation and dispute resolution services to clients worldwide. Mr. Corcione has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies. Over the past decade, he has led the delivery of Virtual Chief Information Security Officer (vCISO) services for advisory firms, which provide a CISO, along with cyber, privacy, and information security subject-matter experts, to organizations of all sizes and verticals. He is a member of the cybersecurity advisory board at Pace University, and a member of the Board of Trustees of the American Management Association International.

The information provided in this article is intended for general educational purposes only—it does not constitute legal, accounting, or other professional advice, and it should not be relied upon as the basis for your business decisions.

To effectively manage and minimize cybersecurity risk, airports must establish, maintain, and continually improve their vendor and third party program to comprehensively manage risk at all levels and at all touch points. This is not an easy task, but it is achievable.”
Michael Corcione, Partner HKA

This publication presents the views, thoughts or opinions of the author and not necessarily those of HKA. Whilst we take every care to ensure the accuracy of this information at the time of publication, the content is not intended to deal with all aspects of the subject referred to, should not be relied upon and does not constitute advice of any kind. This publication is protected by copyright © 2021 HKA Global Ltd.

RELATED ARTICLES