Security

Airports Secure Their IT Operations and Improve Business Continuity

IT leaders for these vital transportation hubs work to enhance their cyber resilience.

Twitter

Wylie Wong is a freelance journalist who specializes in business, technology and sports. He is a regular contributor to the CDW family of technology magazines.

Cybersecurity is paramount at airports. Any successful cyberattack or IT outage can snarl air traffic, diminish the passenger experience, and put staff and passenger data at risk.

Knowing this, CIO Eduardo Valencia charted a course toward more robust IT operations when he joined the Metropolitan Airports Commission, which runs Minneapolis–Saint Paul International Airport (MSP). Now, eight years in, he continually works to bolster security and resiliency to prevent any tech-related turbulence.

“We facilitate air travel, so our risk tolerance is very low,” Valencia says. “We’re dealing with people’s lives. We have zero tolerance for error, which means the underlying technology and systems must be robust.”

Major U.S. airports operate 24/7 and are complex, multitenant facilities. Airport IT departments provide tech infrastructure and network access for internal departments, such as police, fire, finance and facilities management, as well as for airlines, restaurants and retailers.

Click the banner below to learn more about bolstering cyber resilience.

x-cyberfailure-static-2024-clickhere-desktop

x-cyberfailure-static-2024-clickhere-mobile

Applications they support include emergency dispatch, door access control and security camera systems. Airports also manage flight information displays; cellular and Wi-Fi networks; and much of the passenger-facing technology that airlines need to operate at an airport, such as kiosks, check-in counters and gates.

“The importance of safeguarding the digital infrastructure can’t be overstated,” says Zeus Kerravala, principal analyst with ZK Research. “Everything in an airport runs on technology. Any one system can lead to a breach of all of the systems because everything is connected.”

For example, a ransomware attack last August disrupted operations at Seattle-Tacoma International Airport for several weeks, knocking out digital signage, the website and internal email and forcing airline agents to handwrite boarding passes and airport staff to manually sort baggage. The hackers also stole data.

Airports Strive to Boost Cyber Resilience

In Minnesota, nearly 102,000 travelers and 550 metric tons of cargo pass through MSP each day as 19,000 badged employees work on-premises. The IT department manages over 250 applications and services, some of which are critical to facility operations, Valencia says.

About two-thirds of the airport’s applications are consumed as services or run on Amazon Web Services and Microsoft Azure, while one-third are hosted on premise.

Valencia hired a cybersecurity team when he joined MSP. Today, he and his IT team use multiple Microsoft tools, including Entra for multifactor authentication, Microsoft System Center Configuration Manager (now called Configuration Manager) for patch management, and Intune for managing and securing mobile devices.

They’ve also installed Palo Alto Networks’ next-generation firewalls and CrowdStrike’s Falcon endpoint detection and response software to protect against malware. For continuous monitoring, Valencia hired Arctic Wolf, a managed security service provider (MSSP) to detect and respond to threats.

Arctic Wolf uses a security information and event management tool to constantly monitor the airport’s endpoints, networks and cloud environments.

“They will bring in my engineers if they see activity that doesn’t align with our historical norms,” Valencia says.

Valencia notes that these tools enable or complement a zero-trust approach, in which no user or device is automatically trusted. Different tools support a different dimension of zero trust, he adds. For example, MSP has also deployed SailPoint for identity and access management and BeyondTrust for privileged access management.

“We are on the zero-trust journey,” he says.

Every two years, Valencia hires a third party to assess MSP’s security posture against the National Institute of Standards and Technology’s Cybersecurity Framework. If gaps are found, the IT department resolves them.

We facilitate air travel, so our risk tolerance is very low.”

Eduardo Valencia CIO, Minneapolis–Saint Paul International Airport

MSP provides cybersecurity awareness training to employees and has built redundancy into its infrastructure. It has three active-active connections from three different internet service providers. Critical systems have redundancy and backups in place. IT administrators also perform disaster recovery exercises.

“Nothing is completely foolproof,” Valencia says. “We’re always actively managing risk by bringing awareness, reassessing and improving performance.”

DIVE DEEPER: Zero trust is critical for securing OT environments.

Redundant Connections Strengthen Airport IT

The Hartsfield-Jackson Atlanta International Airport is the busiest airport in the world, welcoming more than 100 million passengers a year, so resiliency is a priority.

“If somebody were to be successful at bringing down our network, the impact would be substantial,” says CTO Chris Crist, who joined ATL a year ago. “Our CCTV capability, security access control system, wireless and cellular networks — all of those things will obviously be substantially impacted in a negative way.”

The airport is investing in redundant IT infrastructure and networks, beefing up its security posture with new security tools and performing a risk assessment with the Transportation Security Administration’s assistance early this year.

Click the banner to sign up for the StateTech newsletter for weekly updates.

Atlanta’s Department of Aviation has deployed the standard security tools, including McAfee ePolicy Orchestrator anti-virus and patch management software. An MSSP monitors the airport’s IT and network infrastructure. Since Crist’s arrival, he has added a separate network monitoring tool and subscribed to software that scans the dark web for potential breaches.

Crist is currently designing a new data center with a budget of $60 million to $80 million. When it becomes operational by the end of 2026, the airport will have two data centers for redundancy. “If a cyberattacker takes down one of our data centers, we could quarantine it, shut it down and keep operating on the other one,” he says.

ATL is also building a $140 million fiber loop across the airport’s 33,000 acres. The fiber loop will provide every terminal, concourse and building with redundant connections.

EXPLORE: Critical infrastructure is digitizing physical security.

A Florida Airport Recovers from a Ransomware Attack

The city of Pensacola, Fla., which manages the IT infrastructure for Pensacola International Airport, continually invests in multiple layers of security, including new patch management software purchased in the past year. The city also provides ongoing cybersecurity awareness training, performs continuous vulnerability scanning and hires a third party to run penetration tests regularly, says Stephen Ringl, the city’s director of innovation and technology.

But despite Pensacola’s best efforts, a ransomware attack last March knocked out its phone system and network, which prevented server access. Fortunately, airport operations ran normally.

It was a sophisticated zero-day attack. But thanks to the city’s disaster recovery strategy, the IT staff was fully prepared and able to recover fairly quickly, Ringl says.

Two months prior, in January 2024, IT staffers performed a tabletop exercise and walked through their incident response plan for a ransomware attack. The city’s MSSP also took part.

“We talked through specific details, and it helped us refine our plan and make it better. When the cyberattack hit, we responded right away because everyone knew their role,” Ringl says.

With the MSSP’s assistance, IT staffers figured out the cause and isolated the affected systems. They brought some systems back online after a few days and fully recovered within weeks.

“We have local and regionally diverse backups and leverage local and cloud resources to ensure we have resiliency of data,” he says.

Disaster Recovery Planning

IT administrators at Hartsfield-Jackson Atlanta International Airport go beyond tabletop exercises and tests to ensure they can recover from IT outages.

Last year, for example, they tested network redundancy with controlled shutdowns at two concourses to make sure a secondary switch automatically could reroute traffic and keep the network running if the core switch were to go down, says Crist.

Through real-life disaster recovery exercises, the team has discovered ways to improve their business continuity posture. It will perform controlled shutdowns on the remaining concourses this year to make sure they are as prepared as possible, he says.

“It’s important to test your resiliency and make sure the redundancy capability works,” Crist says. “Hands-on exercises have immense value because we test our tools live. We learn in a controlled situation rather than trying to figure things out when a crisis happens. Everyone feels confident if something does happen.”

Photography by Chad Holder