Extending the airport boundary: Connecting physical security and cybersecurity
Airports are more and more dealing with considerable challenges towards effective airport security. This paper provides a broader perspective on airport security, discusses the connection between physical and cyber-security and recommends a collaborative approach related to the cybersecurity issues of BHSs. Efficiency (passenger flow) and passenger experience are the drivers in this context.
The authors introduce a practice about creating a platform for sharing information and knowledge to defend airports against cyber and terror attacks. The threat is shifting from airside to landside, towards public areas. Security should be integrated into the design of the passenger journey, and the security boundary should be extended. This practice not only identifies zones with specific characteristics within the passenger journey but also connects vertical zones to infrastructure outside the airport perimeter. Access control, third-party supply chain and airports being part of a broader business network should not limit security to physical access but also include digital access, including insider threat.
This initiative is translating general best practices into solutions against specific risks in determined areas. For cybersecurity as a start, it focuses on the baggage handling system (BHS) being industrial operating machines. Especially this baggage handling is a ‘forgotten’ area for (cyber)security. Airports tend to extend and build on existing equipment and therefore old programmable logic controllers (PLCs) and industrial (digital) equipment designed with an operational focus are still in use and often connected to newly installed machines. Since the main focus within airports is often on other areas, the implementation of European Civil Aviation Conference (ECAC) Std. 3 brings additional risks for BHSs to airports.
Creating this (cyber)security information-sharing platform could build a road map for security to be shared with other airports. Implementation of location-based security, through monitoring of communication of surrounding control systems, will input identified specific BHS threats into the platform. After this first assessment of the BHS, the scope and the number of airports or external parties involved could be expanded.