Image via Eduardo Cano Photo Co.

According to a report from cyber security company ImmuniWeb, only three of the 100 best international airports in the world have been approved.

The three are Schiphol Airport in the Netherlands, Helsinki Vantaa Airport in Finland and Dublin International Airport in Ireland.

According to ImmuniWeb, these three can be “a good example not only for the aviation industry but also for all other industries.”

The three are the only airports that have passed a long list of security tests that have checked their public websites, official mobile applications and leaked sensitive airport or passenger data in places such as cloud services, public code repositories or the dark web. .

To be more specific, ImmuniWeb has scanned for:

Proper implementation of HTTPS

If the email server from the airport supports SPF, DKIM and DMARC

If CMS systems (website content management systems) had current versions or vulnerable components

Compliance tests with PCI DSS, NIST and HIPAA guidelines

If the airport systems used a web application firewall (WAF)

Tests for general misconfiguration in cookie, header and other security settings

When mobile apps use components that are vulnerable to known exploits

If mobile apps were dependent on third-party software libraries and frameworks

If mobile apps used basic app security settings or if they used unsafe encryption techniques

If airport-related data was available on public cloud storage services

If airport-related data was available about public code hosting repositories

If airport-related data were available on the dark web and other criminal and hacking-related websites

The company’s wide range of security scans showed that 97% of the airports tested had problems with their cyber security attitude, and especially with their public websites.

A summary of the company’s scans is available below:

Main website Security:

97% of the websites contain outdated web software

24% of the websites contain known and exploitable vulnerabilities

76% and 73% of the websites do not comply with GDPR and PCI DSS respectively

24% of the websites do not have SSL encryption or use outdated SSLv3

55% of the websites are protected by a WAF

Mobile application security:

100% of the mobile apps contain at least 5 external software frameworks

100% of the mobile apps contain at least 2 vulnerabilities

On average, 15 security or privacy issues are detected per app

33.7% of the outgoing traffic of the mobile apps has no encryption

Dark Web Exposure, Code Repositories and Cloud:

66% of the airports are exposed on the Dark Web

72 of the 325 exposures run a critical or high risk that indicates a serious breach

87% of the airports have data breaches in public repositories

503 of the 3184 leaks are critical or high risk and could potentially cause a breach

3% of the airports have unprotected public cloud with sensitive data

Image via ImmuniWeb

The above problems can be credibly used to attack an airport authority, gain ground on vulnerable systems and then infiltrate the internal network of an airport.

Such attacks have occurred in recent years. With the exception of one case – the attack on Boryspil Kyiv International Airport – most of these disclosed cyber attacks have not been considered dangerous for the safety of passers-by because attackers were focused on financial gain (by installing malware) or political messages (via website defacements).

In a world where national actors are becoming bolder and political tensions are rising to new heights every day, cyber attacks on airport systems are no longer an unimaginable scenario and should be seen as a possible response in the event of an escalation between two countries.

For example, “cyber warfare and other disruptive technologies” were the two reasons mentioned why the Doomsday Clock was moved to 100 seconds until midnight last month, demonstrating the growing threat and far-reaching aftermath that cyber attacks can cause today.

For the context, below are notable cyber security incidents involving airport systems and authorities (not including security incidents with individual airlines):