Why is Open Architecture the future of cybersecurity at airports?
Image credit: © LHR Airports Limited
We spoke to Richard Dempers, an IT consultant for Rheinberry, currently supporting Heathrow as Lead Designer on the deployment of new security equipment and capability covering passenger lanes and control posts and Eugene Kramer, Head of Cyber Security for Passenger Aviation Security and Borders at Heathrow Airport, including biometrics, identity, security areas, commercial and engineering systems. All views expressed are their own and do not represent those of Heathrow or Rheinberry.
What are your current key challenges?
EK: One of the challenges we have is to adapt, going from many millions of passengers a year to virtually none. To survive as a business, we had to make some changes, such as with the assets and equipment that need to run whether there are passengers or not – the equipment must still be maintained, and in certain areas we have had to shut assets down.
The challenge is: how do we re-start in a timely manner when passengers return to flying and confidence builds? As you look to survive as a business and reduce costs in a safe and secure manner, you need to be aware of how you can upscale, also in a safe and secure manner, to return the operation to scale. It’s something that has been considered for many months.
We have also got to maintain the security of our estate. That’s people, physical and digital assets. And in times of disruption, it can give bad actors, threat actors, or those who may become curious – or who have time on their hands – it can give them the opportunity to test the integrity of your systems. So that is a challenge that is ongoing, but in times of disruption, I think it’s increased. I believe this is the case for all businesses.
RD: The downturn in passenger numbers means that money can’t be spent on projects to do new things. The work we are trying to do in deploying new security equipment is taking longer than we expected because the funding isn’t there to do it, and when we are doing something large and potentially changing to the industry, such as Open Architecture and the impact it’s going to have on cybersecurity, that’s also dragging out those timescales as well.
What benefits can open architecture offer for data sharing in a secure way?
EK: Open Architecture was previously associated with software engineering or software development. Open Architecture in our world enables the interoperability of systems that were previously not open or tightly integrated. What we want to do is create something that is open, to be able to interact with partners, and that enables entry into the market, because you have a standardised way for systems, people, organisations to interact with set formats, and to be able to ingest and interpret those formats to give you relevant information.
You’re able to improve the passenger experience and make efficiencies. Organisations can now extract data from previously closed systems, for monitoring, for continuous improvement purposes, or for the reduction of repetitive processes – you don’t have to repeat the process more than is necessary if you are able to accept data or information from a system downstream that you trust.
But to make the systems interoperable, security must be first and foremost. If you know you are operating within a certain framework, or within certain parameters, you know what you’re dealing with, by creating patterns and thus reduce having to deal with a data asset in a new way.
You could argue that interoperability could open the opportunity for understanding how the frameworks work and exploiting them. But if you have frameworks and standards in the way you operate, upgrading, making changes, and working to mitigate evolving threats becomes easier, because you are working within a framework so you can detect anomalies, which can be understood by more than one organisation, manufacturer, or vendor.
RD: The whole idea of interoperability is absolutely key. We’ve written this definition document and presented it to numerous industry bodies and got a lot of support from the end users, customers and regulatory bodies. We are now working to persuade the manufacturers on this journey.
Over the last two or three years, most of the manufacturers have started talking about “Open Architecture” in their business plans and roadmaps, but they very much see it as their view of Open Architecture. It’s only Open Architecture within their world. So, we are trying to define an Open Architecture that works across the board, and the phrase we often use is “plug and secure play”.
So, in an airport, you might have two devices that work together and talk to each other. That’s all very well if those two machines are from the same manufacturer – they are designed to do that – but we want to get to a point where we can have devices from different manufacturers and for that data exchange to still be really easy and seamless.
So Open Architecture is a technical concept, but fundamentally it’s about improving the operational or security efficiency, business efficiency and procurement efficiency. That is absolutely key, because the procurement side of these things is very costly.
Your talk at Cyber Security for Industrial Control Systems will include the benefits of an interoperable over an integrated approach. What are the key differences and why do you favour interoperable systems?
RD: In an integrated system, anything can be combined into a functioning, unified whole. Any software can be integrated at cost and with time – it all depends how much money and time you want to throw at something. But that does mean that changes to components are often exceedingly difficult to maintain. As one component becomes updated, you then have to update the component that it’s connected to; go through a whole lot of further tests. Interoperability isn’t guaranteed.
Interoperable systems are the world we want to move to. This is available in other industries, and we’re now trying to implement it in the commercial aviation world. In an interoperable system, you can provide and receive services from other systems, connect to all these different components from different vendors, but without changing existing components. You’re moving to a “plug and secure play” type of world. It’s never going to be as easy as simply pulling out a piece of equipment and replacing it with another, but it has to be quicker and less costly than it is now.
We have contributed to an ACI Europe document on Open Architecture for Airport Security Systems, which has further information.
What will the next 12 months bring for you and your work? Will there be new challenges as air travel becomes more frequent again?
EK: The challenges as an industry are how do you adapt and ramp up to the increase in demand when it comes? I think it is also about the lack of parity and approach to try to solve the issue. We would like people to fly, and I think people would like to fly – the question is how do they have confidence to fly?
The challenge is understanding that what another entity is doing or not doing to ensure equivalence or understanding so you can fly safely in terms of COVID-19 and not to jeopardise you considering flying, coming back home and resuming your normal routine.
I have been considering this for months, and during the pandemic, we had to shut certain assets down in a safe and secure way, and we will have to bring them back into service in a safe and secure way. We’re already doing that, and the challenge is to find the balance whereby we’re not seen to be doing it too soon, because there’s cost involved, in maintenance and running things safely and securely, but if you don’t do it in time, you are not going to meet the demand. It’s about adapting to that increase in demand, ensuring that people have the confidence to do it, and that it is safe and secure.
I have heard lots of debates where people say there’s no longer a need for a business meeting in person, and I disagree – I think people are lacking that personal interaction, either on a personal level, or on a business or design level, where people can collaborate in a room on a white board.
RD: It will be interesting to see how travel comes back. Obviously, people want to go on holiday, but it will be interesting to see how business travel picks up. I think it will – we’ve been on calls, both within Heathrow and with international groups of people, and you want to say “hold on – we need to draw on a white board” – and you can’t do that – online collaboration tools aren’t as good as being in a room and having a discussion, where problems are quickly ironed out. You just can’t do that with online tools, so I think there still is a need for business travel. Whether there will be as much as there was in the past, I don’t know.
EK: You need that interaction. You can do a formula on a screen, but it’s not the same as being in a room and you can build something, or you can demonstrate what you want to achieve. Over an electronic medium, it’s not quite the same.
RD: When we demonstrate something, we quite often want to go airside in the airport, to say: here is a device, and you can’t do that over a video call. At the end of the day, there is still the real world out there, with physical bits of kit that do things, and the only way you can demonstrate what those things do is to have people standing in front of it.
EK: When you are in an airport, you can simulate, or you can hear the baggage factory in operation, or you can see someone interacting with a bag, you need that in order to understand the situational awareness. Otherwise, it becomes a theoretical exercise.
Richard and Eugene are speaking at Cyber Security for Industrial Control Systems, taking place online on 5 – 6 May.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.