The cyber domain has become the new battlefield of malicious activities. Cyber criminals attack every 39 seconds somewhere in the world. To combat these threats, ACI EUROPE’s member airports, together with the Transportation Security Administration (TSA) and European regulators, created a list of 18 cybersecurity requirements to help airports to collaborate with vendors and ensure “cybersecurity by design” in security screening equipment. Report by Daiga Dege
The continuous interconnectedness of the modern world and the use of technology and digital tools that help to foster and promote our lifestyle provide us with comfort, safety and security, but also become a source of vulnerability. In other words – the more technology we use to improve security, the more vulnerabilities we are exposed to, thus decreasing security. How do we deal with this dilemma? The answer is simple but yet complicated – it is cybersecurity. Cyber-attacks and threats have transnational components and can affect civil aviation’s infrastructure and ecosystem. Dependency and reliance on technology in civil aviation call for a united approach in tackling cyber threats. Cybersecurity is not about this very moment, but it is mostly about understanding how to prepare for what’s next. The key for cyber resilience in this complex and vastly connected world is to collaborate across the public, private and academic sectors where each brings its own strengths.
In July 2020, ACI EUROPE and its members, together with the TSA, Canadian Air Transport Security Authority (CATSA), some European regulators and a number of international airports, produced a document titled “Open Architecture for Airport Security Systems” with a significant focus on cybersecurity. This document aims to foster opportunities for increased innovation and access to a broader range of suppliers and systems to meet operational requirements.
In this context, Open Architecture is, at its core, an open infrastructure where the needs and opportunities for enhanced cybersecurity are discussed. It provides a platform to cooperate and create a tailored approach to various components of security equipment, such as security scanners, X-ray technology, Explosive Trace Detection (ETD), Closed-circuit television (CCTV) and many others. This includes requirements and guidelines to acknowledge the needs of airports and to stimulate open discussion with vendors on the specifications of their product, thus creating reciprocal communication and agreements. Open Architecture is built on expectations and deliverables that benefit both sides and help to clearly build a pathway to strong and reliable business partnerships. Dynamic, resilient and adaptable tools that respond to emerging threats allow us to advance in a rapidly changing environment and to achieve technological advancements in security screening equipment. Airports heavily rely on the efficiency of screening equipment to reduce security threats and detect illegal activities. The success of these systems is based on the hardware that is operated by a specific software. The possibility of malicious attacks on the system can cause disruptions and even losses with unimaginable consequences. Therefore, the long-term goal of cybersecurity should be focusing on the Zero Trust model, which is based on strict verification of every person and device that are trying to access resources on private networks. The main principle of the Zero Trust model is that there are no grounds for the assumption that trust in anyone accessing the airport network architecture, even from within, should be granted automatically.
The Open Architecture document includes 18 cybersecurity requirements that serve as a baseline for vendors to ensure that the data is being protected and that necessary cybersecurity components are built in when developing new technology and operating with innovative solutions for airport screening equipment. These requirements serve as a stepping stone for closer cooperation between airports, regulators and suppliers, built upon mutual understanding and confidence and, most of all, with the primary goal of ensuring security for passengers.
This project serves as a handbook to understand and address modern cybersecurity challenges in screening equipment. Nevertheless, much more is yet to come. Like every book, document, list and article (just like this one), this is the start of a long conversation that has multiple layers of complexities, variables and is set to adapt and change over time. As Denis Waitley puts it: “Expect the best, plan for the worst and prepare to be surprised.”
Open Architecture for Airport Security Systems is available here: https://www.aci-europe.org/component/attachments/attachments.html?id=1102&task=download
Daiga Dege is ACI EUROPE’s Cybersecurity Coordinator.