As adversaries watch and wait, Western Sydney Airport is a greenfield cybersecurity opportunity

Australia’s newest airport is building cybersecurity into its core, offering lessons for other infrastructure projects across the country.

The decision to progress the design and construction of a second Sydney airport after decades of negotiations offers the rare chance to build a major aviation hub from the ground up — but with foreign operatives already sniffing around, construction of a robust cybersecurity defence is proving to be as important as the pouring of concrete.

Potential security threats to Australian airports were among the incidents cited by Australian Security Intelligence Organisation director-general Mike Burgess late last year, who noted in his last annual threat assessment that the organisation had “focused on a nest of spies, from a particular foreign intelligence service, that was operating in Australia” and requested information about airport security protocols at “a major airport”.

Those spies — who were not from the Asia-Pacific region, Burgess took care to note — were “quietly and professionally removed” from the country, as have been others discovered and investigated by ASIO.

Although their threats were neutralised, their success in infiltrating Australia’s political machinery — building relationships with current and former politicians, a foreign embassy and a state policy service, among others — highlights the ever more adversarial climate into which the $5.3b Western Sydney International (Nancy-Bird Walton) Airport will open in 2026.

The threat of cyberattacks on the airport is far more than theoretical. In 2020, San Francisco International Airport was targeted by hackers that have been linked to the Russian government, with other attacks documented and a widely-cited European Aviation Safety Agency (EASA) report noting that aviation systems are targeted on average 1000 times per month.

EASA formed a dedicated cybersecurity industry group in 2019 to foster discussion and remediation of cybersecurity risks — an approach that reflects the growing need to protect airports and aviation-related systems from cybercriminal attack.

ASIO’s latest annual report flagged an “enduring” threat to Australia from espionage and foreign interference, warning that while increasing operational initiatives “have made the operating environment more difficult for our adversaries, they have adapted their methods without changing their intent.”

“Cyberespionage remains the most pervasive approach adopted by our adversaries,” the intelligence agency warned. “It is highly effective and deniable, and can be executed remotely…. Robust cybersecurity remains critically important in defending Australia from threats to security in the digital age.”

Putting cyber at the core

Shaping that defence has been a critical part of planning for the myriad subcontractors involved in the project, who had spent more than three years planning its layout, infrastructure, security, and other elements before the terminal’s groundbreaking last November.

Cybersecurity is one of four core elements of security design and integration — the others being business requirements, human safety, and physical security — that will guide the construction and operation of the “world-class airport” and its supporting systems, noted Maksym Szewczuk, safety and security design manager with project delivery partner Bechtel Australia.

With “the advent of security convergence, making sure that information security and cybersecurity, and unnecessary intrusion through the physical security system of cyberattacks, is addressed,” he told the recent ASIAL Security Conference.

Bechtel and its partners were using a cyclical approach of continuous assessment and improvement, embedding the ISO 31000 risk management model into the design process and conducting regular risk assessments on “elements of security being seamlessly integrated into architecture, technology, business operations, and security operations.”

Cyber and other security elements are, Szewczuk said, being “addressed in the early stages of the design cycle and assessed continuously through design and development.”

Incorporating security early in the design process may increase costs in the short term, but it also enables “better integration of security elements into the business requirements and business objectives,” he said.

This includes extensive monitoring and use of business metrics to monitor operational security, using the security system as a data collection system that, he said, provides “greater synergy between safety and security [and] making sure that the [workplace safety] function and security function are well aligned in the treatment of safety and security risks as a combined exercise.”

Implementing security by design requires forethought, planning for flexibility and future technologies, he said, along with the use of intelligence and evidence-based risk management.

“It’s about making sure that the risks that are being treated are based on incidents and evidence — trying to be as proactive as possible, rather than being emotive and reactive.”

Countering the infrastructure threat

Even as Bechtel manages the top-down view of security across its many layers, technology service provider DXC Technology will be more directly involved in the cybersecurity architecture at Western Sydney Airport.

Having been recently chosen as master systems integrator for the project, DXC and partner Chavali Consulting will plan and deliver integration, cybersecurity, and hosting platforms to unify more than 60 operational systems.

“Building a greenfield airport from the ground up is a once-in-a-lifetime opportunity that will allow us to bring the latest innovation to the airport and apply technologies that are emerging,” DXC Asia-Pacific president Seelan Nayagam said in announcing the firm’s plans to support the airport with “state-of-the-art technology and forward-thinking principles”.

Given the strategic importance of the new airport as a conduit for passengers — 5 million per year upon its opening and 82 million by 2063 — those principles will dovetail with the government’s increasing focus on protecting critical infrastructure.

With Australia already strengthening its Asia-Pacific position and its AUKUS partnership attracting increased scrutiny from other nation-states, robust cybersecurity will be critical to ensure the airport fulfils expectations and maintains the resiliency it needs.

“Hardening is presented within infrastructure, but it’s integrated and seamless,” said Bechtel’s Szewczuk, who highlighted the move away from a “fortress type environment” to “creating indiscernible layers of security.”

That included putting “vast amounts of computing power and smarts behind cameras and access control, and AI put to use in a sensible way that treats risk and responds well but diverts human attention to where it needs to be.”

“Overall security layers of presence are not felt to authorised users,” he said, “and security features will blend seamlessly with the environment — making the resulting infrastructure secure but inviting to use and to visit.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022