Kyanite Blue
Sector Guides

Airports Cybersecurity: Protecting Passenger Data, OT Systems, and Physical-Cyber Convergence

Airports are among the most complex cybersecurity environments in any sector. A major international airport combines enterprise IT (HR, finance, corporate systems), operational IT (departure control, passenger processing, ground handling coordination), industrial OT (baggage handling, airfield lighting, HVAC, building management, fuel systems), passenger-facing technology (check-in kiosks, biometric boarding, public Wi-Fi, retail payment systems), and multiple third-party operators — airlines, ground handlers, caterers, retailers, security contractors — each with their own systems and network connections. The attack surface is vast. The consequences of failure span operational disruption, passenger data breaches, and in extreme cases, safety system compromise. CAA CAP 1753 and EASA Part-IS both recognise airports as critical aviation infrastructure with specific cybersecurity obligations.

Major airports combine IT, OT, passenger-facing systems, and dozens of third-party operators — creating one of the most complex cybersecurity environments in any sector.

The Airport Cybersecurity Attack Surface

Understanding airport cybersecurity requires mapping the full attack surface:

  • Enterprise IT: Airport authority corporate systems — HR, finance, procurement, communications — subject to standard enterprise threats including phishing, ransomware, and BEC fraud
  • Operational IT: Departure control, passenger processing, flight information systems, ground handling coordination — directly linked to flight operations and passenger experience
  • OT/ICS: Baggage handling conveyors, airfield ground lighting, HVAC and building management, security screening systems, access control, CCTV infrastructure — physical infrastructure controlled by networked systems
  • Passenger-facing systems: Check-in kiosks, biometric boarding gates, public Wi-Fi, retail payment terminals, self-service bag drop — all representing potential attack or data compromise vectors
  • Third-party networks: Airlines, ground handlers, caterers, fuel suppliers, retail operators, security contractors — each bringing their own systems and access requirements into the airport environment
  • Physical-cyber convergence: Access control systems, CCTV, airside security gates — where cyber compromise can have direct physical security implications

Passenger Data Protection at Airports

Airports accumulate significant passenger personal data and must manage it under UK GDPR and aviation regulatory frameworks:

  • Biometric data: Facial recognition at boarding gates and security checkpoints — special category data requiring explicit consent and robust security controls
  • Passenger Name Records: Flight manifests and booking data flowing through airport systems — coordinated with airlines and border agencies
  • CCTV footage: Pervasive CCTV in airport environments creates significant data protection obligations around retention, access, and security
  • Retail and payment data: Airport retail and food and beverage operators process payment card data under PCI DSS obligations
  • Wi-Fi data: Public Wi-Fi user data including connection logs, device identifiers, and potentially browsing behaviour
  • Access control data: Airside access records linking individuals to specific areas at specific times — sensitive security data with personnel privacy implications

Physical-Cyber Security Convergence at Airports

The convergence of physical and cyber security at airports creates unique risks that require joint physical and cyber security management:

  • Access control system compromise: A cyber attack on electronic airside access control could allow unauthorised physical access to secure areas — a direct aviation security threat
  • CCTV system compromise: Attackers gaining access to or disabling airport CCTV systems create physical security blindspots and intelligence collection opportunities
  • Perimeter security systems: Fence intrusion detection and perimeter monitoring systems are increasingly networked and vulnerable to cyber interference
  • Airfield ground lighting: Networked AGL systems that control runway and taxiway lighting are safety-critical OT systems — compromise could have direct aviation safety implications
  • Security screening systems: Explosive detection systems and baggage X-ray systems with networked components represent critical OT security targets

Airport Cybersecurity Governance and Third-Party Risk

Effective airport cybersecurity governance must address the multi-operator environment that characterises airport operations:

  • Unified network security policy: Airport authorities must set baseline security requirements for all operators connecting to airport infrastructure — airlines, ground handlers, retailers, and service providers
  • Tenant network isolation: Network segments for tenant operators (airlines, retailers) should be isolated from airport authority operational networks
  • Vendor access management: Controlled, monitored remote access for OT vendors and maintenance contractors is essential — uncontrolled vendor access is a primary OT risk vector
  • Incident coordination: When an incident affects multiple operators at an airport, clear coordination protocols ensure a coherent response across all affected parties
  • Regular security exercises: Airport cybersecurity exercises should involve multiple operators — airlines, ground handlers, authority IT teams — testing the joint response capability

Frequently Asked Questions

What cybersecurity regulations apply specifically to UK airport operators?

UK airport operators are subject to CAA CAP 1753 cybersecurity expectations as regulated aviation entities. Airports above defined passenger thresholds are classified as Operators of Essential Services (OES) under the UK NIS Regulations 2018, with binding security and incident reporting obligations managed by the CAA as competent authority. UK GDPR applies to all passenger data processing. For airports with EU-connected operations, EASA Part-IS and NIS2 obligations may also apply. The DfT and NCSC publish additional guidance for critical national infrastructure including airports.

How should airports manage cybersecurity for their retail and food and beverage tenants?

Airport retail and F&B operators typically have their own IT systems for point-of-sale and payment processing. Airport authorities should: require network isolation between retail systems and operational airport networks; mandate PCI DSS compliance for any retail operators processing payment cards; include basic security requirements (MFA, patching, endpoint protection) in tenant lease and operating agreements; and ensure that retail operator Wi-Fi and payment networks cannot be used to access airport operational systems. The airport authority is not directly responsible for tenant IT security but must ensure that tenant systems cannot compromise airport infrastructure.

What is the relationship between aviation security (DfT/CAA) and cybersecurity at airports?

Aviation security (DfT/CAA) focuses on physical security — passenger and baggage screening, airside access control, and perimeter security. Cybersecurity is a distinct but increasingly overlapping domain — particularly where cyber systems control physical security infrastructure (electronic access control, CCTV, screening systems). At UK airports, the National Aviation Security Programme (NASP) addresses physical security; CAA CAP 1753 addresses cybersecurity. Increasingly, airports are developing joint physical-cyber security governance that treats physical-cyber convergence risks as requiring integrated management.

Get an airport cybersecurity assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides