Cyber security resilience at Amsterdam Airport Schiphol
Amsterdam Airport Schiphol is one of the busiest airports in Europe and of vital importance to the Netherlands. Three major players at the airport: the main carrier, Schiphol Group and Air Traffic Control the Netherlands (LVNL), have joined forces in order to increase the cyber security resilience.
The starting point was the concern to the CIO’s of the three companies over the continuity of flight operations at Schiphol due to lack of knowledge of joint IT dependencies and vulnerabilities. As a first step a Cybersecurity Resilience Taskforce Schiphol was established and a plan of action defined:
■ Step 1: Preparation of an overview of the information exchanged and the datalinks between the partners
■ Step 2: Execution of the Business Impact Analyses of the information exchanged
■ Step 3: Threat and Risk assessment
■ Step 4: Fit / gap analysis to the existing policies
■ Step 5: Reporting of findings.
One of the most important findings was an imbalance in Disaster Recovery, Business Continuity and Security requirements between the partners. The main reason of the imbalance is due to the fact that information exchange often starts ‘organically’ and becomes business critical over time. SLA, contracts, infrastructure, etc. are not (always) adapted accordingly. Furthermore, Disaster Recovery, Business Continuity and Security plans are usually company specific, not supply chain specific. This could lead to disconnected companies in the chain. Now, and in future.
Based on the findings a security plan has been developed on how to improve the cyber resilience. The easiest was to set up a quarterly meeting between the CIO’s of the three partners, in which information on future projects is exchanged, threats and vulnerabilities are shared and security exercises are planned. Basically, the approach now is ‘connected company’, rather than only looking at our own companies or at a single systems. Next to this a common security baseline is under development.
The newest initiative at Amsterdam Airport Schiphol is Cyssec (www.cyssec.com). The goal of this ‘Cybersecurity Ecosystem’ is to strengthen the cybersecurity resilience of all (public and private) parties connected to the Schiphol ecosystem.
Ing. Antony Verheijen MSc CISSP is information security manager for Air Traffic Control the Netherlands (LVNL). In this role he is the vice-chair of the Airport Information Sharing and Analysis Centre (ISAC) at Schiphol Airport and one of the drivers of cyber resilience at Schiphol. Before joining LVNL, Antony was Corporate Information Security Officer for METRO Group.