Written by Michail Senis, Practice Leader & Expert Airport, ICT and Javier Caldés-Casas, Expert Aviation Security, ICT
Airport stakeholders often develop visions for digital terminals and digitalization of airport operations. New Information and Communications Technologies (ICT) like Artificial Intelligence (AI), 5G networks and Internet of Things (IoT) sensors are in the peak of inflated expectations as per the Gartner Technology Hype Cycle (figure 1). First implementations are present within digitalization roadmaps and ICT investments in most advanced international airports and/or airport/terminal construction projects around the globe.
Modern airports embrace the benefits of automation and new technologies for operational efficiency, reduction of maintenance costs, customer satisfaction and predictive capacity planning. However, new technologies also bring along new potential vulnerabilities. The European Aviation Safety Agency (EASA) estimates that an average of 1,000 attacks occur per month on aviation systems, thus becoming a real threat to airport safety, security, and reputation.
Cyber security risks evolve fast and the very nature of cyber-attacks, characterized by their low cost, makes them easily affordable to terrorist and criminal organizations.
Artificial Intelligence is developing fast. It will change our lives by increasing the capacity and efficiency of airports through predictive analytical Business Intelligence (BI), improving the performance of operational systems through prognostic maintenance, enhancing the airport security through video analytics, improving healthcare through more precise diagnosis, and in many other ways that we can only begin to imagine. At the same time, AI entails a number of potential risks, such as opaque decision-making, gender-based or other kinds of discrimination, intrusion in our private lives or being used for criminal purposes. It is a collection of technologies that combine data, algorithms and computing power and are mainly associated with the risk of data leakage through big data technologies.
As with any new technology, the use of AI brings both opportunities and risks. Citizens fear being left powerless in defending their rights and safety when facing the information asymmetries of algorithmic decision-making, and companies are concerned by legal uncertainty. While AI can help protect citizens’ security and enable them to enjoy their fundamental rights, citizens also worry that AI can have unintended effects or even be used for malicious purposes. These concerns need to be addressed. Moreover, in addition to a lack of investment and skills, lack of trust is a main factor holding back a broader uptake of AI. The European Commission has established a High-Level Expert Group that published Guidelines on trustworthy AI in April 2019. The Commission published a communication welcoming the seven key requirements identified in the Guidelines of the High-Level Expert Group:
Airport ICT managers and cyber security officers are carefully monitoring the advancements in the cyber security aspects of AI and are currently enforcing policies and procedures for ensuring full compliancy with General Data Protection Regulation (GDPR) act 2016 enforced 25th May 2018.
AI is a double-sided sword. While the beneficial possibilities of its use will be endless (although we are not there yet), from mitigating the risk of error coding to automated vulnerability management, Identity and Access Management (IAM) and Privileged Access Management (PAM), the reality is that today’s bad guys are not standing still. Malicious actors are usually supported by computer science graduates with advanced degrees in AI and Machine Learning (ML). ML, for example, can be fooled by creating a tide of positive alarms, which could cause the detection system to disregard a type of attack. The attacker could then, launch the real attack, just looking as a false positive.
While AI can be used to automate security checkpoints, adversarial AI causes machine learning models to wrongly interpret inputs into a system and behave in a manner favourable to an attacker. Adversarial ML can be used to feed input into an algorithm to disclose the information it has been trained on, or simply, distorting input causing systems to fail.
5G networks will play a central role in achieving the digital transformation of the EU’s economy and society. Indeed, 5G networks have the potential to enable and support a wide range of applications and functions, extending far beyond the provision of mobile communication services between end-users. With worldwide 5G revenues estimated at €225 billion in 2025, 5G technologies and services are a key asset for Europe to compete in the global market.
5G networks will provide virtually ubiquitous, ultra-high bandwidth and low latency connectivity not only to individual users but also to connected objects. Thanks to these technical characteristics, 5G networks are expected to serve a wide range of applications and sectors mainly autonomous driving and IoT sensor connectivity. In airports apart from the private mobile networks within the terminals, 5G will support the broadband operational connectivity at apron and runway areas. 5G potential could also support automated airport ground handling and robotized Baggage Handling System (BHS) facilities.
From a technological perspective, 5G networks will make use of a number of new technical features, compared to the current situation in existing networks such as:
These new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
At the same time, 5G technologies and standards could improve security, compared to previous generations of mobile networks (2/3/4G), due to several new security functions, such as stricter authentication processes in the radio interface. These new security features will however not all be activated by default in the network equipment, and therefore their implementation will greatly depend upon how the operators deploy and manage their networks.
The two main stakeholders involved are of particular relevance to the cyber security of 5G networks:
The modern airport operators most probably will outsource the 5G infrastructure and investments to MNOs and rely to their cyber security plans through potential audits and penetration tests. In cases where indoor Distributed Antenna Systems (DAS) are part of the airport ICT network infrastructure, vulnerability assessments and penetration testing should be also included in the airports cyber risk mitigation plans as per ISO27001 ISMS program.
The Internet of Things (IoT) can be defined as “a pervasive and ubiquitous network which enables monitoring and control of the physical environment by collecting, processing, and analysing the data generated by sensors or smart objects.”
IoT includes Machine-to-Human communication (M2H), Radio Frequency Identification (RFID), Location-Based Services (LBS), Lab-on-a-Chip (LOC) sensors, Augmented Reality (AR), robotics and vehicle telematics (figure 2).
The Internet of Things is presently a security nightmare. Despite all the innovation that promises to make our daily life more effortless, there are significant risks involved. For IoT devices these mean having personal information stolen, devices being hijacked and remotely controlled, leading to even loss of life and property.
A significant example is the botnet attack on IoT devices named Mirai (Japanese for “the future”) which occurred in 2016. Interestingly, the Mirai botnet exploit took advantage of publicly-known default credentials (62 username and password combinations) to compromise thousands of IoT devices. Mirai logged into IoT devices such as IP cameras, home routers, and video recorders to execute a DDoS (Distributed Denial of Service) attack on a very large scale – up to 300,000 IoT vulnerable devices were employed to attack networks primarily in the United States.
In USA, the state of California has recently stepped in to regulate IoT devices sold within its state. Even though this legislation only covers the state of California, its effects will reach much further. Since companies do not wish to develop devices specific for one state, the benefits will trickle down to the rest of the consumers. California’s Senate Bill No. 327 law, which took effect in January 2020, is far from perfect, since in many cases it is open to interpretation, however, it is a start.
Additionally, also in USA, the IoT cyber security Improvement Act of 2019 aims to improve upon the similar act introduced in 2017. This bill calls on the National Institute of Standards and Technology (NIST) to make recommendations for identity management, patching, and configuration of IoT devices.
In EU, the European Telecommunications Standards Institute (ETSI) recently published an IoT standard (ETSI TS 103 645) that aims to “establish a security baseline for Internet-connected consumer products and provide a basis for future IoT certification schemes.”
Many vulnerabilities of the traditional IT environment still exist in IoT products in addition to the new ones that are introduced by the complex, heterogeneous, distributed, and dynamic IoT environment as follows:
IoT devices are more dangerous than traditional computers because they sense the world around us, and affect that world in a direct physical manner.
Airports are incredibly vulnerable when deploying large IoT deployment projects. Key factor is the careful design of the campus network and respective perimeter security measures where the IoT sensors are communicating. Certain network design architecture technics for IoT networks are currently available that will harden the airport network security perimeter fence.
Cisco, as technology leader in the network evolution, proposed the use of many different security technologies and solutions through the network architecture – especially across the core and data center cloud layers, where there are unique challenges in the IoT space. The nature of the endpoints and the sheer scale of aggregation require special attention in the overall architecture to accommodate these challenges. Cisco suggests an IoT/M2M architecture composing of four layers, some of which are similar to those described in conventional Cisco network architectures.
Resilience is not about returning to a previous state after an attack but adapting to that attack, managing the bad outcomes, and learning from the incident so future incidents are less likely.
In Richard Clarke’s simile using the NIST Cyber Security Framework’s five functions (Identify, Protect, Detect, Respond and Recover), the 1980s were the Identity decade, the 1990s the Protect decade, the 2000s the Detect decade, the 2010s the Respond decade and the 2020s will be the Recover decade. It is time to focus on resilience, swiftly adapting to emerging threat to ensure recovery. Business Continuity Management (BCM) – your Plan B – must be embedded in each of your airport operations, including cyber security (figure 3).
The starting point is to understand your ecosystem, its particular threats and vulnerabilities and develop a strategy with full commitment from top management. Modern airports have to be SMART with the use of new technologies. The future is now.
Munich Airport International (MAI) is leading the development of the ICT master planning and design of new airport/terminal ecosystems around the globe. MAI closely collaborates with aviation ICT and cyber security technology leaders to ensure that the vision of the airport/terminal stakeholders is also a cyber secure one.
Michalis Senis is an Electrical and Computer Science Engineer with unique experience in airport’s ICT systems start-ups & operations. He received his MSc/D.I.C. in Communications and Digital Signal Processing from Imperial College of London. During his extensive 23 year career mostly in the Aviation industry he has been involved in key ICT management roles in Vodafone & Athens International Airport. Since 2003 he has been involved in numerous airport ICT projects around the globe, having a unique track record for assisting airport start-ups and ICT transformations in international airports. In 2015 he joined Munich Airport as Senior ICT business consultant, leading the ICT service portfolio. Currently he as Practice Leader is involved in EWR T1 and JFK T1 leading the ICT work streams in USA. He is a chartered Engineer, ISO22301, ITIL v3 and PMP certified.
Javier Caldés-Casas is an engineer with a Master Degree in Aerospace Engineering (RMIT, Australia) and different courses and postgraduates in Intelligence Services (Defense, Spain), Strategic Intelligence (QUT, Australia), Cybersecurity (Harvard Continuing Education), Counter-terrorism & Technology (IDC, Israel) and Leadership & Management (CSU, Australia). Javier has held positions in the Australian Department of Home Affairs, in AirServices Australia (ATC) and also in the private sector as airport engineer, aviation manager, general manager and project and quality manager.