Airport Cyber Security Best Practices

Cyber security is a growing enterprise-wide issue and permeates every aspect of modern life. Airports are part of the critical infrastructure and thus are particularly vulnerable to internal and external cyber threats and attacks from criminals, terrorists, or foreign actors. Cyber threats affect more than traditional IT infrastructure such as email and the Internet. Many airports also rely on Supervisory Control and Data Acquistion (SCADA)-type industrial control systems for such systems as heating, ventilation and air conditioning (HVAC), utilities, baggage systems, and business processes such as facility management. Airport directors may believe that SCADA-type systems are secure due to their limited or lack of Internet access and/or because they are physically secure, but they too pose risks to the organization. The move towards employees preferring to use their personal devices for work, such as smartphones and tablets [which is known as Bring Your Own Device (BYOD)], is becoming ubiquitous. Increasingly, this is occurring at airports where airport personnel are also wishing to bring their own devices into the workplace. But this can be problematic if these devices interact with enterprise systems, such as email and provide virtual private network (VPN) access. Devices can be used to introduce viruses or surreptitiously gather information. Employees can unknowingly introduce viruses and allow nefarious users access to enterprise systems by visiting reputable websites (such as their local newspaper), clicking on a link in an email, visiting social media sites, or by inserting an infected USB drive in their computer or device. These risks can't be eliminated, but implementing industry standards, best practices, and an awareness program for all employees can help mitigate them. Airports can also use their existing relationships with local, state, and federal law enforcement agencies to assist them with identifying and responding to anomalous activity to ensure an appropriate response and resolution. The objectives of this research are to develop (1) a guidebook to help airports develop and/or maintain a cyber security program and (2) multi-media material(s) that address risk awareness by highlighting the different cyber security threats likely to be confronted by airports that can be used by cyber security/IT professionals to educate airport staff. The guidebook should address at a minimum the following: (1) Industry standards, policies and procedures, and best practices for IT security systems; (2) Threat and risk awareness for executives and staff; (3) Initial and recurrent training needs; (4) Integrating cyber security practices into existing business processes; (5) Leveraging federal, state, and local agency relationships; and (6) Legal responsibilities and reporting requirements. The standards, policies and procedures, and best practices should address at a minimum the following areas: (1) Identifying and responding to criminal activity or suspected criminal activity; (2) Data privacy; (3) Emerging technology threats and risks; (4) Identifying anomalous activity; (5) Managing third-party vendors and service-level agreements; (6) Managing other airport IT infrastructure users (e.g., airport tenants, passengers); (7) Mitigation techniques; (8) Network access control including wi-fi and remote access; (9) Ongoing maintenance and management; (10) Payment Card Industry Data Security Standard (PCI-DSS); (11) SCADA; (12) Social media; and (13) Social engineering.


  • English


  • Status: Completed
  • Funding: $350000.00
  • Contract Numbers:

    Project 05-02

  • Sponsor Organizations:

    Federal Aviation Administration

    800 Independence Avenue, SW
    Washington, DC  United States  20591

    Airport Cooperative Research Program

    Transportation Research Board
    500 Fifth Street, NW
    Washington, DC    20001
  • Project Managers:

    Greenberger, Marci

  • Performing Organizations:

    Grafton Technologies

  • Principal Investigators:

    Murphy, Randy

  • Start Date: 20130827
  • Expected Completion Date: 0
  • Actual Completion Date: 20140926
  • Source Data: RiP Project 38210

Subject/Index Terms

Filing Info

  • Accession Number: 01547547
  • Record Type: Research project
  • Source Agency: Transportation Research Board
  • Contract Numbers: Project 05-02
  • Files: TRB, RiP
  • Created Date: Dec 11 2014 1:01AM