Analysis Research Design Assignment | Online Homework Help

Cyber security in airports
Received (in revised form): 22nd December, 2014
WAYNE SMITH
has been head of IT Services at Birmingham Airport since 2009, and has worked in the airport industry for
21 years. While overhauling the majority of IT operational systems, the requirements for cyber security
have become more prevalent and Wayne’s involvement in this area has led to him sitting as an ACI
representative on the European Civil Aviation Conference (ECAC) Cyber Study Group and working with
UK national bodies and their partners to further awareness and understanding of this vital area. Wayne has
a Master’s degree in airport management and is a Fellow of the British Computer Society and a chartered
IT professional. He sees technology as the major factor in influencing operational efficiencies in airports and
civil aviation.
Abstract
When it comes to cyber security, many organisations only have to consider their own physical,
or logical, boundaries. They may have limited connectivity to a supply chain, but they can control
who or what is able to access their systems. Meanwhile, airports have a more complex set
of connectivity issues. Imagine a situation where a passenger arrives at an airport to find that
their flight is delayed due to a cyber incident. Their initial reaction may be to blame the airport,
but there are many other systems involved with getting passengers and their bags onto a flight,
and getting the aircraft off the ground. For example, one might wonder what systems the check-in
staff (handling agents) are tapping their details into, without considering that they may be using
their own system — and what exactly a handling agent is and what relationship they have with
an airport — or one may be aware that they are simply accessing a departure control system
(DCS) that is hosted somewhere, not necessarily on the airport site. Who hosts the DCS and who
maintains it, and contractually who owns the legal relationship between the DCS and the handling
agent? This is not the airport but the airline with whom one is flying. Then, of course, the DCS
providers host their systems and equipment in data centres, yet again run by third parties in many
cases. This paper attempts to explain some of the issues associated with this complex set of
relationships and sets the background for some of the challenges that airports face when it comes
to cyber security.
Keywords
cyber, airport, disruption, check-in, baggage, AODB, DCS
Wayne Smith
INTRODUCTION
The concept of cyber security within
the airport environment is a challenge in
many ways. Airports do not make anything,
they do not hold plans for the latest
widget which others might want to steal
and in some cases they do not even hold
‘customer’ information.
Many people assume that the travelling
passenger is the customer of an airport,
but the airport has very little direct
interaction with the travelling passengers
as they are actually the customers of the
airlines, who then subcontract the handling
of those passengers to a handling
agent. So an airport rarely has access to,
or stores within its systems, passenger data.
Some airports process payment (credit
card) information for parking while at
others this is outsourced to a commercial
concession, so no credit card details are
stored. This is the case at Birmingham.
Wayne Smith,
Head of IT Services,
Birmingham Airport Limited,
B26 3QJ,
UK
Tel: +44 (0)121 767 8010
E-mail: Wayne.Smith@
birminghamairport.co.uk
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
CYBER SECURITY IN AIRPORTS
© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015 233
● theft of intellectual property — an
extension of the criminal who actually
wants to steal something;
● the ‘hack’-tivist — who wants to disrupt
activities to cause a news event.
It is the threat of disruption that many
airports see as a key area of cyber security
that they need to protect against.
So the systems that can cause disruption
to the flow of aircraft are:
● any system that can affect the processing
of passengers, eg check-in, etc.;
● any system that can affect baggage, eg
the sort computer, hold baggage scanning,
etc.;
● any system that can affect the handling
of aircraft, eg the airport operational
database (AODB).
It may therefore seem relatively simple
to secure these systems as far as possible
and all is well. Unfortunately, none of
the above systems can operate in isolation —
they all rely on a chain of other systems to
operate effectively — all operated by a
number of disparate companies.
CHECK-IN
The check-in network at many airports,
especially larger airports, is a common-use
environment, meaning that any desk can
be used by any airline. The older standard
common user terminal equipment
(CUTE) has been more recently replaced
with the common user passenger processing
system (CUPPS). This makes desk
planning and allocation easier for airports,
but it means that the peripherals on every
desk must be accessible to every departure
control system (DCS).
A DCS is the computer system that
allows a handling agent to check passengers
into a flight. In most cases, DCSs are
So what is it that the airport is trying to
protect? The most sensitive information
stored could be argued as being employee
data, or commercially sensitive contracts
between the airports and either airlines
or shopping units. While the leakage of
either of these would result in damage to
the company’s reputation, it is unlikely to
have a long-term effect of the viability of
the company.
What is more important from an airport
perspective is to protect any system
that can cause disruption. The ‘crown
jewels’ of an airport can be argued as
being those systems that prevent passengers
or bags getting to an aircraft, or an
aircraft getting onto or off the ground.
Airport systems are traditionally divided
into two types, those that are operationally
necessary to run the airport (check-in,
baggage, etc.) and those that allow the
airport to operate as a business (e-mail,
finance, HR/payroll, etc.). Each can be
thought of as important to the running
of the business but one, the former, has
an immediate effect on the profitability of
the business should they be disrupted.
Wayne Smith took responsibility for
cyber security at Birmingham Airport
following his appointment as head of IT
services in 2009. Cyber security became
one of the focuses of the organisation as its
profile rose, which led to Mr Smith becoming
one of the industry representatives for
ACI (Airports Council International) on
the European Civil Aviation Conference
(ECAC) Cyber Study Group.
Generically, there can be many reasons
for cyber criminals to attack a
company.
● the hobbyist — who wants a badge of
honour by hacking into a company;
● the criminal — who wants to make
money by holding the company, or their
data, to ransom;
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
SMITH
234 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015
hosted off-site from airports as airlines will
have a relationship/contract with a DCS
provider internationally. This gives them
commonality of systems and economies of
scale as they can use the same DCS at all
of their destination airports. The result for
airports is that they in turn have to connect
with a number of DCSs. In a worst case
scenario, this could be one per airline, but
thankfully there are a number of popular
systems which many airlines share.
When a passenger is checked in at a
desk within the airport site, the data pass
through the check-in system (the CUPPS)
to the DCS, and the resultant boarding card
and bag tags are sent back to the peripherals
on those desks. The interesting factor
here is that the data, passing through the
network, are not necessarily accessible by
the airport company — due to the passenger
being a customer of the airline.
From a cyber security (disruption)
viewpoint, this raises one of the challenges.
The DCS itself and its provider can certainly
disrupt the flow of passengers onto
a plane — possibly at many airports and
affecting many airlines — but the airport
has no direct relationship with any DCS
provider.
The picture gets further complicated
when DCS providers host their DCSs in
third-party data centres. This starts to build
a ‘chain of risk’, as shown in Figure 1.
The diagram shows the situation at
Birmingham Airport whereby the airport
owns the check-in network and a third
party provides the software that runs on
it (the CUPPS platform). Additionally, an
outsourced third-party contract is in place
for the check-in system. That is three
companies involved before the system
leaves the airport boundary.
There then comes the DCS provider,
with their support company, and their
hosting company (with the possibility
of the hosting company using a third
party to maintain their equipment). Even
a modest-sized airport with 12 DCSs
and one check-in network results in
39 potential companies involved in the
chain of control of getting passengers
onto planes.
It can be argued that to understand
this situation is a way to start controlling
it; where an airport itself owns the infrastructure
for a check-in system, that is a
good starting point. Some airports are,
however, what is termed a ‘club site’.
A club site is where the airport company
does not get involved in the provision
of a check-in network and system.
In such cases the airlines club together
and approach check-in manufacturers
directly. There is then a committee that
takes responsibility for the check-in system
as it is shared between all of the
CUPPS
Maintenance
Airport
Network
Check-In
Desk
DCS
DCS Hosting
Company
Hosting
Company
Maintenance
CUPPS
Provider
Figure 1 Check-in system connectivity
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
CYBER SECURITY IN AIRPORTS
© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015 235
airlines local to that site. They rely on the
check-in system manufacturer to ensure
the system is safe, secure, resilient, etc. —
assuming they have specified that in their
statement of requirements. Some airlines
may pass details of the proposed system
back to their central IT departments for
comments, but the risk exists in these
situations whereby non-technical people
will be procuring a system with limited
knowledge of cyber security.
BAGGAGE SYSTEMS
The second area that can cause disruption
to airports is the baggage system — or
rather, systems. People generically refer to
the baggage system in a singular sense, but
there are in fact many systems that make
up the baggage system.
When a bag tag is printed for a piece
of hold baggage (as opposed to cabin
baggage), the DCS sends a code to
the bag tag printer on the desk, which
is printed as a barcode on the bag tag.
There is far more information that the
systems need to know in order to get the
bag onto the right aircraft, but for now it
just knows a code. The bag is dispatched
down the belt and most people see it disappearing
behind a wall and hope it gets
to the right place.
When a bag tag is printed, the DCS
initiates a baggage service message (BSM)
that is routed back to the airport via a
different route — and a different set of
companies. There are a small numbers
of suppliers worldwide who offer baggage
message routing, but they all work in
essentially the same way. The bag message
gets routed to a server in the country of the
airport (or geographically close — bearing
in mind that a DCS serving airlines
at Birmingham can be located anywhere
in the world). So the BSMs for Birmingham
are routed via a hub in London and
hence back to the baggage system in
Birmingham.
In the meantime, the bag is travelling
round the baggage system and is being
scanned for prohibited items. In the UK,
100 per cent of hold baggage is scanned
for dangerous goods. The first level is done
by a computer, and if this is OK, the bag
is released for sorting. If the computer
thinks there is something that needs a
more detailed look, an operator will
examine the image of the bag. If they do
not respond to the bag within a set time
period, or if they decide the bag needs
further scrutiny, it will be scanned a third
time with the image being shown to a
different operator. If the bag then needs
further investigation, it will be routed for
a more forensic examination. When any
of the above steps are passed, the bag will
be released for sorting.
The challenge from a cyber perspective
here is that the hold baggage screening
companies are contracted directly with
the airlines (similar to a club site in the
check-in situation), and at Birmingham
this is an independent third-party
organisation.
When a bag gets released for sorting,
the tag on the bag is read by an array
of lasers so that the information in the
BSM can be virtually linked to the tag
number. The sort allocation computer
(SAC) can then decide where to route
the bag to ensure it ends up on the correct
aircraft.
This is not the end of the baggage process,
however, as the bag still needs to be
reconciled with the passenger. As bags
get loaded onto aircraft, or into the bins
that are used on larger aircraft, they are
scanned again by a handling agent using
the baggage reconciliation system (BRS).
The BRS WiFi guns tell the operator
whether the bag is OK to be loaded for
that flight, and keeps a record of where
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
SMITH
236 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015
(approximately) that bag is. Should a passenger
then fail to show up for a flight, the
bag is off-loaded (with the BRS telling
the handling agent where the bag should
be). Automated BRSs tend to be used at
larger airports, whereas smaller airports
use a manual system.
The BRS is a separate system from
the other baggage systems, which may be
on-site or may be hosted.
The only other part of the baggage
system not covered so far is supervisory
control and data acquisition (SCADA).
The SCADA monitors and controls all
of the PLCs that make the mechanical
aspects of the baggage system (belts,
motors, etc.) run. These SCADA systems
were traditionally stand-alone systems
which have become interconnected over
time to allow for remote support and software
updates.
So, to summarise, the baggage system
consists of the following sub-systems:
● sort allocation computer (SAC);
● baggage reconciliation system (BRS);
● supervisory control and data acquisition
(SCADA);
● hold baggage screening;
● bag message system.
Even in a modest-sized airport where
the airport contracts for these services, it
is possible to see the complexity of the
system linkages with many different parties
involved and this only becomes more
complicated where airports take the club
site approach to deliver these services.
At Birmingham Airport, the airport see
advantages in taking ownership of these
aspects, but there are still a number of
disparate parties involved. Again, add in
the network provider and the maintenance
provider and the chain of risk for the
baggage systems generically can grow to
another large number of companies.
AIRPORT OPERATIONAL DATABASE
(AODB)
When a flight is due to operate from an
airport, skeleton data are interfaced into
the AODB from a third-party scheduling
system. These skeleton data are then
added to as the flight becomes more
certain and more details are known
about it.
Once again, however, it is not necessarily
the airport company that initially
knows about this data. As an example,
airlines may initially not allocate a specific
aircraft to operate that flight, so the
aircraft registration may not be known
until near the departure time. The aircraft
registration determines the type of
aircraft and even its individual dimensions
(as some aircraft of the same type
may have winglets, while others may
not). This seemingly minor point has a
major impact on which aircraft stand an
aircraft can be allocated to. Then, as the
flight progresses, times will be added as
the status changes (eg as it is boarding),
and eventually the number of passengers
will be added.
All of these actions are carried out by
handling agents who own the contracts
for different airlines. At Birmingham
the principle of not dual keying data is
adhered to, with the vast majority of the
data being interfaced from the systems of
the different handling agents. Additionally,
other interfaces exist from bodies
such as the air traffic control authority
and EuroControl for inbound en route
times.
Once again, it can be seen that without
the downstream data, the AODB would
fail to operate effectively, and also that
the airport is only one link in the chain.
Upstream, the data are then interfaced
from the AODB into many more systems,
such as the website, baggage allocation
systems and financial billing systems, just
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
CYBER SECURITY IN AIRPORTS
© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015 237
to name a few. In fact, the AODB is seen
as the main operational database for many
airports.
The issues mentioned previously of
many companies being involved in the
data flows into and out of the system are
replicated in the AODB and are a common
theme of airport IT operations.
WHAT DO THE STANDARDS SAY?
Airports form part of the critical national
infrastructure, and as such certain standards
apply to them. In the draft EU Legislation
on Cyber Security (2013),1 airports
are listed as one of the market operators
and para (26) recognises the fact that the
legislation applies equally to outsourced
companies in this area.
The draft directive goes on to say,
‘Member States shall ensure that [airports]
notify to the competent authority of incidents
having a significant impact on the
security of the core services they provide’.
As discussed above, a cyber attack on a
system downstream of an airport can have
a major impact on one or more airports,
and yet it may fall outside the scope of
this draft directive once it is agreed and
published.
A more specific standard, EN 16495,2
recognises the interconnectivity of systems
which are essential for aviation to
operate. ‘Service delivery in aviation is
greatly defined by the cooperation of
the individual participants. An organisation’s
information security management
is therefore dependent on the information
security management of organisations
with which it cooperates to deliver
service.’
The standard, which is based on ISO/
IEC 27002, then goes on to explain in
more detail what should be done and
what should be shared. While this is an
invaluable resource for airports and other
aviation-related companies, as yet it seems
to be relatively unknown. It is also not
mandatory or even recommended by
authorising bodies, although changes are
occurring in this area.
PROTECTION
At Birmingham, a pragmatic approach
is taken to cyber security. While it is
infinitely possible to spend ever more
money and resources on defences, without
guaranteeing any further resilience,
this is not the approach that is taken.
All of the standard tools are in place that
one would expect of a major organisation
and the company is working towards
best practice guidelines as outlined in the
above section (whether currently recommended
or not), but just as important
are the resilience of the systems and
plans for recovery should the worst case
happen.
Resilience has been designed into
the network with all non-edge switches
being routable by two geographically
diverse routes (in case of a physical
attack). All Tier 1 systems are run from
a resilient pair of servers (or more in
some cases), with the servers being split
between two data centres, housed in different
buildings. The back-up of all data
is held in a third location within the
airport site.
Manual procedures are checked (and
simulated) on a regular basis, whereby the
control centre reverts to manual operation
of the AODB functions. Each year
a penetration test is run with no company
being employed for more than two
years to ensure that different aspects are
being tested. Additionally, a simulated
social engineering phishing test is conducted
by a company (which again is regularly
changed), to try and trick users into
clicking on links in e-mails.
Delivered by Ingenta
IP: 155.31.251.184 On: Sat, 02 May 2020 15:20:28
Copyright: Henry Stewart Publications
SMITH
238 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 9, NO. 3, 232–238 SUMMER 2015