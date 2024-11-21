Supply chain attacks have emerged as one of the primary challenges for cybersecurity teams, with attackers recognizing that software providers and other third-party services can provide an accessible gateway to high-value targets. This is a particularly significant issue in the aviation sector, which relies on a complex ecosystem of third-party services and external IT tools to operate efficiently. The compromise of a key provider has the potential to cause huge disruption to air travel, with severe knock-on effects to the global economy. London Gatwick Airport’s Head of Cyber Security, Megan Poortman, spoke to Infosecurity about supply chain cybersecurity challenges in a critical international airport environment. Poortman also talked about learnings from dealing with the impact of the CrowdStrike IT outage in July 2024 and the evolving cybersecurity compliance landscape.

Infosecurity Magazine: What are the unique cybersecurity supply chain challenges facing the aviation industry today? Megan Poortman: I think across all verticals we’re seeing the same challenges with managing large supply chain estates, whether it’s down to resources, technologies or toolsets. This is not just about cyber but across all areas of the business. At Gatwick Airport we have multiple suppliers and it’s about understanding the risk assessment for each of them. Firstly, this involves meeting suppliers and talking to them about cybersecurity. It’s not number one on all suppliers’ agendas, but it’s about starting to bake that into being something the business is responsible for. In the past with health and safety, we realized we needed to do supplier reviews and have contract conversations. Cybersecurity now needs to be on that agenda. When we start to look at some of the key supply chain challenges, being part of critical national infrastructure (CNI) means we are a key target for cyber-attacks. It’s not just the operators of essential services, it’s our supply chain as well that’s the target. IM: What is Gatwick airport’s approach to managing supply chain security, working with the many organizations that operate on the site? MP: My approach since working at Gatwick has been to focus on our strategic partners. I call them partners and not suppliers because these are companies that help us with our strategic goals. If there are any glitches in our suppliers, it causes queues of passengers out of the door, leading to passengers missing holidays etc. We want partnerships with those suppliers who want to help us achieve our end-to-end objectives. Our approach has been focusing on those top tier partners and looking at how do we broker the conversation about their strategic vision in cybersecurity. Is cyber on their product improvement roadmap? Is cyber something they consider? Do they know how to report a breach? Its breaking it down and moving away from massive spreadsheets of questions and streamlining what we really care about and working with the supply chain to impact that. We also lean into guidance from agencies like the UK National Cyber Security Centre (NCSC) which we can refer our suppliers to. This especially important for small suppliers, who don’t necessarily have IT and cyber departments. For example, there’s a lot of great guidance from the NCSC on how to protect against ransomware and how to secure email, such as using multifactor authentication (MFA). IM: In July, it was reported that Gatwick airport was impacted by the CrowdStrike global IT outage. Were you able to take any learnings from this incident in terms of incident response and cyber resiliency at the airport? MP: The CrowdStrike incident showed the reliance on global IT providers and the potential impact when something goes wrong with those systems. The key learning is to continue to test our crisis resilience plans and use tabletop exercises. It was an event that the impact and scale of was not predicted. The likelihood of such an event would have been considered low.

"The CrowdStrike incident showed the reliance on global IT providers and the potential impact when something goes wrong with those systems"