No Free Falling: Safe and Secure Airport Systems in the Digital Transition
Most conversations about the industrial Internet of Things (IIoT), safety and security revolve around two separate topics: “smart” machinery or process safety to protect people and equipment, or industrial control system security as stand-alone topics.
These conversations are important and valid. However, too many industrial companies are not focused on the inherent safety implications of common security risks. As found in a 2020 report by cybersecurity firm ImmuniWeb, only three of the world’s top 100 international airports passed the basic high level cybersecurity test.
Airport’s vulnerability to cyberattacks not only impact operations but also put their employees and travelers at risk.
Earlier this year SITA, an airline technology provider, confirmed that its servers had been breached in a cyberattack. The hack affected more than 2 million travelers from major airlines including Star Alliance and OneWorld members such as Air New Zealand, United, Singapore Airlines, SAS, Cathay Pacific, and Finnair. By penetrating SITA’s safety system, the hackers accessed the Passenger Service System (PSS), which handles processes ranging from ticket booking to boarding, and stole passenger’s information.
In the aviation industry, safety and security programs are inextricably linked as airports dive into the digital transformation to optimize operations while improving customer experience.
Airports are continuously tapping IIoT technology to create a network of technology capabilities from mapping the logistics of moving billions of people and goods, operating and connecting various businesses and systems at once and ensuring safety and security of all operations.
As the industry continues to grow, with a yearly increase in travel and flight operations, airports will need to find the best means to keep up with business operations with optimized systems automation. However, greater connectivity can increase security risks that will impact safety. This is where better enterprise risk management is important.
Integrating Safety and Security Efforts
Safety and security have traditionally been viewed as separate entities, but there is a commonality between them in the approaches used to analyze and mitigate risks. For example, the concept of “access control” is common between safety and security. In both cases, policies and procedures are built based on business practices, risk management approaches, application requirements and industry standards.
Transportation operators that want to reduce the likelihood of security-based safety incidents will need to rethink safety in this way. Specifically, start thinking of safety and security in relation to each other. There are three key areas this can have the biggest impact:
- Behavior: In addition to helping protect intellectual property, processes and physical assets, security personnel must make protecting safety systems a core value in everything they do. Greater collaboration between Environmental Health & Safety, operations and IT teams is more important as well. For example, all three teams should work together to develop co-managed objectives for safety and security and identify critical safety-data requirements on floor systems. And because a strong safety culture involves every employee, a companywide understanding of the relationship between security and safety is needed.
- Procedure: Compliance efforts should meet the security requirements in safety standards, such as IEC 61508 and 61511 and security efforts should follow a defense-in-depth approach and address safety-related security risks at all levels of an organization. Defense-in-depth is recommended in the IEC 62443 (“Security for Industrial Automation and Control Systems”) standard series (formerly ISA99) and elsewhere.
- Technology: All safety technologies should have built-in security features. They also should use security technologies that help protect against safety-system breaches and enable speedy recoveries should a breach occur.
Risk Mitigation
The list of potential security threats that could have safety implications is endless. So, airports and other industrial companies alike should start any mitigation of security-based safety risks with understanding where they are most vulnerable.
This should be done by conducting separate safety and security risk assessments, then comparing reports to examine where security most impacts safety to best address the unique set of risks.
We’ve outlined some key mitigation measures that industrial operators should implement in a white paper on “Safety through Security: Protecting People, the Environment and Critical Infrastructure against Industrial Security Threats.”
The concept of digital transformation is bringing production intelligence to our customers for measuring and improving nearly every aspect of their operations. It’s also providing instantaneous information sharing and seamless collaboration across organizations.
For all these opportunities, more connection points can create more entrance points for security threats. You must account for and address how these threats impact the safety of your people, your infrastructure and the environment around your operations. The IIoT is bringing opportunity, risk and the ability to holistically integrate your safety and security programs to optimize operations.
Quade Nettles manages for services associated with cyber security at Rockwell Automation. Quade’s primary responsibility is to develop the strategic roadmap for industrial cyber security services including consultative services such as risk assessments and penetration testing, as well as managed security services such as threat detection and incident response. Quade holds a Bachelor of Business degree in Computer Information Systems from the University of Toledo and a Master of Business Administration degree from Cleveland State University.
