Critical Infrastructure

New Study Reveals Cybersecurity Risks in the World’s Largest Airports

Brian Thomas | February 7, 2020

Back in 1990, Hollywood producers imagined a complex plot in which an army of mercenaries with malicious intent hack into and take over the air traffic control system at Washington Dulles International Airport. The result was the classic movie, Die Hard 2.

Fast forward to 2020 and a new study suggests that glaring gaps in the cybersecurity posture of many of the world’s largest airports makes movie-level cyber attacks easier to orchestrate than ever, and from anywhere in the world.

The report, State of Cybersecurity at Top 100 Global Airports, finds that all but three of the world’s biggest airports have “an alarming lack of systems in place to protect their websites, mobile applications, and public clouds,” reports TechRepublic.

Airports receive bad grades for website, mobile app, cloud, and data protection

Digging deeper into the report reveals that dozens of airports failed to make the grade for website security, with only three receiving an A+ grade. Worse, nearly one in four received an F grade due to their use of outdated software, including content management systems (CMS) like WordPress that have known and exploitable security vulnerabilities. These vulnerabilities are also prevalent across 24% of airport websites, while nearly 25% of those sites lack SSL encryption or use the now-obsolete SSLv3.

The security posture of airport mobile apps (used to enhance passenger engagement and experience) is even worse. For the 36 apps examined, researchers uncovered more than 500 security and privacy issues and 288 mobile security flaws — an average of 15 per application. Meanwhile, 34% of those apps lack encryption of outgoing traffic, putting personal and financial customer data at risk.

Indeed, data loss emerged as a significant finding, with 66 of the top 100 airports flagged for having data — such as IDs, financial records, and passwords for production systems — exposed on the Dark Web as a result of a data breach. Many of these leaks originated on public code repositories used by application developers.

Finally, the report finds that some airports (3%) are not doing enough to protect cloud environments that host sensitive data.

Why airport cybersecurity matters

Traditionally, airport security is invariably associated with passenger screening, bag checks, and long lines. But airport operators and passengers should also care about and demand stringent cybersecurity measures at the airports they travel through.

Millions of people and organizations entrust their data to international airports each day. This makes airports attractive to cybercriminals who may consider attacking vulnerable systems to target travelers, cargo traffic, or disrupt critical national infrastructure.

How to reduce cyber risk

To reduce the risk of cyber attacks within any airport environment, cybersecurity leaders must first understand their organization’s risk surface. Only then can they make decisions about which controls to implement and where to allocate their limited resources to secure their valuable assets from threats.

We recommend that airport cybersecurity teams run continuous discovery programs and perform constant inventories of their digital assets. In doing so, they can gain visibility into risk exposure from outdated software, known and unknown vulnerabilities, misconfigured systems, undetected malware, and unsecured access points — across web assets, clouds, and on-site systems.

For example, using BitSight Security Performance Management, airport security administrators can continuously monitor, measure, and communicate the efficacy of the cybersecurity controls they have in place; shine a light on cyber risk; and see what assets they have in the cloud and how they’re configured.

But cybersecurity teams must also look beyond the perimeters of their own IT infrastructure. In today’s increasingly interconnected world, threat actors often exploit third, fourth, and even nth parties to launch their attacks. Therefore, it’s vital that airport cybersecurity teams conduct in-depth audits of their vendors and suppliers — and implement a third-party risk management solution that goes beyond paper-based questionnaires to immediately expose the riskiest cyber issues within the supply chain.

With BitSight for Third-Party Risk Management, security administrators can immediately identify threats within their supply chains, target resources at vendors who have the highest level of cyber risk, reduce the time it takes to complete cybersecurity assessments, and work with vendors to close gaps in their security programs. This can be achieved quickly and at scale, using the resources many airport cybersecurity teams already have today.

Protecting travelers’ sensitive data

Unlike in the movies, it only takes a single industrious attacker to do significant damage in our nation’s airports. Unfortunately, it doesn’t appear that many of those airports are prepared for this new reality. 

Today’s airport cybersecurity teams must do everything they can to protect their travelers’ sensitive data by quickly identifying and patching vulnerabilities and flaws. Of course, that takes more than just traditional firewalls. It takes a rigorous and ongoing approach to cybersecurity. Because Bruce Willis isn’t walking through that door to save the day.

cybersecurity performance management

Suggested Posts

New Study Reveals Cybersecurity Risks in the World’s Largest Airports

Back in 1990, Hollywood producers imagined a complex plot in which an army of mercenaries with malicious intent hack into and take over the air traffic control system at Washington Dulles International Airport. The result was the classic...

READ MORE »

From Framework to Application: Security Ratings and NIST

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of...

READ MORE »

Security Performance in the Utilities Sector: Steps for Progress

For years, it has been widely-known that the Utilities industry has struggled with cyber security in relation to other industries. In 2014, Unisys and the Ponemon Institute found that 70% of Utility companies surveyed around the world had...

READ MORE »

Subscribe to get security news and updates in your inbox.