Back /
Request a demo
Request a Demo

 

ARMIS BUYER’S GUIDE

Cyber Exposure Management Buyer’s Guide for Airports

Download Your Copy Now
Follow us on

The Environment

Airports host a wide range of digital assets critical to their operations, safety, and passenger experience. These include:

  1. IT systems such as flight information display systems (FIDS), ticketing and boarding systems, baggage handling software, and cybersecurity tools.
  2. Operational Technology (OT) assets include HVAC systems, surveillance cameras, access control systems, runway lighting, and building automation.
  3. Cyber-physical systems such as security scanners (e.g., body and luggage scanners), biometric identity systems, and air traffic control communications are tightly integrated with both digital and physical infrastructure.
  4. Additionally, Wi-Fi networks, digital signage, mobile apps, and IoT sensors used for crowd management and predictive maintenance also form part of an airport’s growing digital ecosystem—and ever expanding attack surface.

Did You Know

Flight delays cost the U.S. economy alone over

$30 billion

annually with cyber disruptions increasingly recognized as a contributing factor.

The Risks – Quantified

Airports face a unique set of cyber exposure risks due to their role as critical infrastructure, their reliance on interconnected digital and cyber physical systems, and the constant flow of passengers, employees, and vendors. These environments present a broad and dynamic attack surface that requires special attention. Key risks include:

  1. Complex, interconnected systems
    Airports rely on a web of interdependent technologies including IT systems, OT infrastructure, IoT devices, and cyber-physical systems, all of which must work seamlessly and securely together. A vulnerability in one segment or system can cascade across the environment.
  2. Legacy and unpatched Systems
    Many operational technologies (e.g., runway lighting, HVAC, baggage systems) run on outdated software that was not designed with cybersecurity in mind, making them difficult to update and secure.
  3. Limited visibility across assets
    A lack of real-time visibility into all connected devices and systems makes it difficult to understand the full attack surface and respond effectively to threats.
  4. High volume of users and devices
    With thousands of passengers, employees, and third-party vendors interacting with airport networks daily, maintaining secure access control and endpoint protection is a persistent challenge.
  5. Third-party and Supply Chain Risk
    Airports depend heavily on airlines, contractors, software providers, and vendors who may introduce vulnerabilities or have access to critical systems without adequate security controls.
  6. Physical-digital convergence
    Increasing use of biometric systems, automated gates, and smart surveillance means that a cyberattack can now directly impact physical security, elevating the risk to human safety.

Did You Know

61.5%

of airports surveyed had experienced targeted cyber-attacks; common vectors included phishing (77%), malware (51%), and DDoS (21%)

Read more about the state of cybersecurity in airports.

Common Attacks

Airports are vulnerable to a broad range of cyber attack vectors due to their highly connected infrastructure and diverse digital ecosystem. These attack vectors can be exploited by threat actors to disrupt operations, steal data, or cause physical harm. Key cyber attack vectors that can impact airports include:

  1. Phishing and Social Engineering
    Employees, vendors, and contractors may be targeted with deceptive emails or messages designed to steal credentials, deploy malware, or trick users into granting unauthorized access.
  2. Malware and Ransomware
    Malicious software can be introduced via infected USB devices, phishing links, or vulnerable endpoints, leading to data theft, system corruption, or ransom-driven operational shutdowns (e.g., baggage systems or flight scheduling).
  3. Insider Threats
    Employees, contractors, or vendors with authorized access may intentionally or unintentionally compromise systems, steal data, or create backdoors for attackers.
  4. Supply Chain Attacks
    Compromised third-party software, systems, or maintenance vendors can introduce vulnerabilities into airport networks, enabling attackers to bypass traditional perimeter defenses.
  5. Exploitation of Unpatched or Legacy Systems
    Many airport OT and IT systems run on outdated software that may not be regularly updated, providing easy targets for attackers to exploit known vulnerabilities.
  6. Wireless and Network Intrusion
    Unsecured public Wi-Fi, poorly segmented networks, or weak access points can be exploited to intercept communications, capture data, or access internal systems.
  7. Denial of Service (DoS) and Distributed Denial of Service (DDoS)
    Attackers can flood airport systems with traffic to overwhelm and disable critical services such as online check-in portals, flight information displays, or backend operations.
  8. Credential Theft and Account Compromise
    Stolen or weak passwords can allow unauthorized access to sensitive airport systems, enabling data breaches or system manipulation.
  9. IoT Device Exploitation
    Vulnerable IoT sensors, surveillance cameras, and smart systems used for crowd control or environmental monitoring can be hijacked and used as entry points or part of a botnet.

Did You Know

According to recent reports,

40 percent slider scale more than 40% of airports

experienced cyberattacks in the last two years, with attacks targeting operational technology and passenger data systems increasing sharply.

The Impact of a Successful Attack

Given the critical nature of airport operations and their role in national security and commerce, protecting against these attack vectors is essential for ensuring operational resilience and public safety.
 

Real-World Incidents Underscore the Risk

Jet bridge outage via compromised retail router

A major international airport experienced a failure in a jet bridge due to a compromised Wi-Fi router located in a retail coffee shop. While initially appearing to be a mechanical fault, the root cause was a cybersecurity issue stemming from a non-critical system with excessive access privileges. Flights were delayed, operations were impacted, and passengers were left stranded.

Baggage handling system malware spread via contractor access

In a separate incident, a contractor with persistent VPN access connected to a baggage handling system from a compromised device. Malware spread across the internal network, halting baggage movement and grounding several flights. This breach came not through perimeter defenses, but through an unmonitored third-party channel with overly broad privileges.

Kiosk shutdown due to trojanized vendor update

Another airport saw a complete failure of multiple passenger self-service kiosks after a third-party software update introduced a trojanized library into the backend systems. The malware spread silently, eventually crashing digital signage and boarding pass printers. With gate information systems down, airline operations were paralyzed, resulting in missed connections and reputational damage.

A successful cyberattack on an airport can have wide-ranging and severe consequences, affecting everything from operational continuity to national security. Key potential impacts include:

  • Flight Disruptions and Cancellations
    Compromised flight information systems, gate operations, or air traffic control systems can lead to delays, grounded aircraft, or widespread cancellations.
  • Passenger Safety Risks
    Attacks on cyber-physical systems like biometric gates, baggage scanners, or access control systems can lead to unauthorized access to secure areas or failures in detecting threats.
  • Operational Downtime
    Systems critical to baggage handling, check-in, ticketing, and scheduling may be taken offline, crippling daily operations with a potential cascading effect across vast regions.
  • Supply Chain Disruption
    Interruption in systems used by vendors, maintenance providers, or fuel and logistics partners can ripple across the airport’s ecosystem, compounding operational issues.
  • Public Panic and Loss of Confidence
    Visible disruptions or exposed vulnerabilities may erode public confidence in airport safety, reducing traveler numbers and affecting airlines and associated businesses.
  • Regulatory and Legal Repercussions
    Failure to adequately protect systems and data can result in investigations, fines, and increased regulatory scrutiny from aviation and cybersecurity authorities.

Did You Know

A single kiosk outage for one hour can lead to losses of

$2,000+

in operational efficiency due to rerouting passengers to manual check-in. Manual check-in costs can be be 4-5x higher per passenger compared to kiosk processing, leading to substantial increased staffing and operational expenses during outages.

The Plays

To address these challenges, airports need a unified cybersecurity strategy that spans IT and OT, prioritizes visibility and segmentation, and integrates threat detection, response, and recovery capabilities across their entire ecosystem.

 

air traffic control screen - card - number 1 in corner

Phase 1: Establish Contextualized & Prioritized Real-Time Visibility & Context (CEM/CTEM)

What to Do

  • Deploy CEM/CTEM tools to continuously discover all IT, OT, IoT, and cyber-physical assets.
  • Enrich assets with metadata: ownership, function, location, vulnerabilities.
  • Contextualize to operational criticality and impact.
  • Map real-time relationships between systems and create a living attack surface model.

Why It’s Important

  • You can’t protect what you don’t know exists.
  • Asset sprawl and siloed environments increase blind spots.
  • Focus on what matters most.
  • Context is critical to distinguish between low-risk and mission-critical exposures.

KPIs & Business Outcomes

  • Asset inventory coverage rate (goal: 100%).
  • Unknown-to-known situational awareness reduction.
  • Mean time to asset discovery (MTAD) [including change discovery].

Outcome

| A complete, contextualized view of the digital and physical environment across airport operations.

digital technology cyberspace abstract - card - number 2 in corner

Phase 2: Prioritize Exposure with Business-Aligned CTEM – Focus on what matters most

What to Do

  • Score exposures by operational criticality and exploitability.
  • Simulate attack paths across interconnected systems.
  • Reduce exposure by validating security controls through continuous testing (e.g., breach simulation and smart mitigation playbooks).

Why It’s Important

  • Not all vulnerabilities are equal as some directly impact safety or uptime and others don’t.
  • CTEM enables continuous, not annual, assessment.
  • Control validation ensures theoretical protections work under real-world conditions.
  • Smart mitigation playbooks provide feasible effective workarounds and resource allocation.

KPIs & Business Outcomes

  • Risk-weighted exposure score over time.
  • % of critical exposures with validated controls.
  • Reduction in dwell time for high-priority risks.
  • Effective resource allocation to increase uptime.

Outcome

| Focused mitigation of exposures that matter most to operations and safety.

global information gather concept - card - number 3 in corner

Phase 3: Orchestrate AI-Driven Exposure Management, Threat Detection & UVM

What to Do

  • Unify vulnerability data across IT, OT, and IoT systems.
  • Use AI to prioritize vulnerabilities based on business and threat context.
  • Monitor behavior anomalies using AI/ML for real-time detection.
  • Focus on exposures before they turn into incidents.

Why It’s Important

  • High risk environments negatively impact resiliency.
  • Vulnerability overload leads to patch paralysis.
  • Traditional detection misses low-and-slow or insider threats.
  • AI provides scale and speed in recognizing subtle or emerging risks.

KPIs & Business Outcomes

  • Uptime.
  • % of critical vulnerabilities remediated within SLA.
  • Reduction in false positives and analyst fatigue.
  • Threat detection-to-response time.

Outcome

| A smarter, faster defense posture that prevents incidents before they escalate.

big data connection - card - number 4 in corner

Phase 4: Automate Remediation & Incident Response

What to Do

  • Conduct AI-driven threat hunting for proactive detection.
  • Build automated playbooks and workflows for incident containment and resolution.
  • Orchestrate remediation across IT/OT systems, including virtual patching for legacy assets.

Why It’s Important

  • Speed matters. Containment delays drive costs and downtime.
  • CTEM enables continuous, not annual, assessment.
  • Manual coordination across teams causes friction and inconsistency. It is also error prone.
  • Proactive threat hunting reduces undetected dwell time.

KPIs & Business Outcomes

  • Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC).
  • % of incidents resolved via automation.
  • Reduction in repeat incidents from same root cause.

Outcome

| Resilient operations with minimal disruption and faster recovery.

information flow upstream concept - card - number 5 in corner

Phase 5: Measure, Report, and Evolve

What to Do

  • Monitor key exposure and response metrics in real time.
  • Provide executive dashboards aligned with business risk (e.g., flight delays, safety impact).
  • Feed lessons learned into continuous improvement cycles.

Why It’s Important

  • Cybersecurity needs to prove business value and justify investment.
  • Visibility builds stakeholder trust and compliance readiness.
  • Feedback loops ensure the security program adapts with threats.

KPIs & Business Outcomes

  • Exposure window (time assets are vulnerable).
  • Business impact reduction (measured in downtime, financial losses, reputational hits).
  • Audit readiness and regulatory compliance rate.

Outcome

| Cybersecurity as a strategic enabler—not just protection, but performance.

Summary Outcome

Airports that adopt this cyber exposure playbook will gain:

  • Continuous situational awareness
  • Real-time detection and fast recovery
  • Proactive security
  • Targeted remediation aligned to business impact
  • Resilient, compliant, and trusted airport operations

 

Airport Cybersecurity
Practitioner Checklist

 

 

Organized by Playbook Phase

Category Checklist Item
1. Visibility & Asset Intelligence (CAASM)
Ensure full visibility and context across
all assets.
  • Deploy an automated asset discovery tool (covering IT, OT, IoT, cyber-physical systems).
  • Maintain a continuously updated asset inventory with metadata (owner, function, location, software version).
  • Map interconnectivity and communication flows across assets.
  • Identify and tag high-value and mission-critical systems (e.g., air traffic control, baggage handling).
  • Detect and remove unauthorized or unmanaged devices from the network.
2. Exposure Prioritization & Control Validation (CTEM)
Continuously assess and prioritize what matters most.
  • Implement risk scoring for assets and vulnerabilities based on business criticality and threat intelligence.
  • Map attack paths to understand lateral movement and exposure impact.
  • Regularly test controls using breach and attack simulation (BAS) tools.
  • Validate segmentation between IT, OT, and guest networks.
  • Maintain an updated CTEM cycle with defined cadence (monthly/quarterly assessments).
3. Unified Vulnerability & Threat Management (UVM + AI)
Centralize and accelerate risk reduction through automation and intelligence.
  • Integrate vulnerability data sources (scanners, asset platforms, CMDB, OT tools).
  • Apply AI/ML to prioritize vulnerabilities by exploitability and operational risk.
  • Deploy early warning detection to find threats that are in the formulation stage.
  • Monitor system behavior using AI-based anomaly detection.
  • Enable threat intel feeds specific to aviation and critical infrastructure sectors.
  • Implement alerting thresholds based on business impact, not just severity score.
4. Automated Response & Remediation
Contain and recover quickly across systems and teams.
  • Build automated response playbooks for top threat scenarios (ransomware, access control breach, supply chain compromise).
  • Implement virtual patching or segmentation for legacy OT assets.
  • Coordinate remediation workflows across IT and OT stakeholders.
  • Snart Active Querying for dormant threats.
  • Maintain secure, tested backups for critical systems and configurations.
5. Measurement, Reporting & Continuous Improvement
Track performance, inform leadership, and evolve.
  • Establish dashboards for exposure, risk, and remediation metrics.
  • Measure and track KPIs: MTTR, exposure window, patch coverage, asset visibility.
  • Align metrics to business outcomes (e.g., uptime, passenger flow, regulatory readiness).
  • Conduct post-incident reviews and feed insights into future CTEM cycles.
  • Update policies, procedures, and training materials based on evolving threats.
6. Governance, Awareness & Culture
Build cross-functional alignment and strong human defenses.
  • Form a cross-functional cybersecurity governance committee (IT, OT, operations, physical security).
  • Train all employees and vendors on cyber hygiene, phishing awareness, and secure access.
  • Tailor cybersecurity training for OT engineers and airport operations staff.
  • Audit third-party vendors for cybersecurity practices and access controls.
  • Document and rehearse incident response plans regularly across domains.