SA's three major airports – OR Tambo in Johannesburg, Cape Town International, and King Shaka International in Durban – have been found to have risks relating to cyber security, compliance and privacy.

This came to light during a research exercise conducted by Switzerland-based Web security company ImmuniWeb in response to a recently released World Economic Forum (WEF) report.

The “Advancing Cyber Resilience in Aviation: An Industry Analysis” report is aimed at “raising awareness about key systemic challenges to cyber resilience in the aviation industry”.

In the report, the WEF noted cyber resilience involved more than the security of assets. It also required a focus on protecting critical functions. In addition, it warned that cyber security challenges, including privacy issues, remained largely underestimated.

South African airports are not alone in their cyber-vulnerability. ImmuniWeb's research covered all of the 2019 Top 100 Airports voted for by air travellers in the Skytrax World Airport survey. Only four of these airports are in Africa (the fourth is Mauritius Airport); 35 are in Asia; 33 in Europe; 19 in North America; six in Oceania; and three in South America.

Of the 100 airports, ImmuniWeb found that only three – Amsterdam Airport Schiphol, Helsinki-Vantaa Airport, and Dublin Airport – successfully passed all the security tests without a single serious issue being detected.

The survey also revealed that:

Ninety-seven percent of airport Web sites contain outdated Web software with 24% of the Web sites containing known and exploitable vulnerabilities.

All of the airport’s mobile apps contain at least two vulnerabilities.

There are an average of 15 security or privacy issues detected per mobile app.

Two-thirds (66%) of airports are exposed to the Dark Web, with 72 of the 325 exposures regarded as being of a critical or high risk, indicating a serious breach.

Eighty-seven percent of airports have data leaks on public cloud repositories – with 503 of the 3 184 leaks rated as critical or high risk for potentially enabling a breach.

The ImmuniWeb report did not specify which airports had each of the different vulnerabilities, nor how seriously the specific airport was affected. So, for example, while 87 of the 100 airports had some sensitive or internal data exposed at various public code repositories – and 59 of these were identified with code leakages of a critical risks and 61 with high risks – it is impossible to determine whether SA airports are included in that number.

The report also noted that while application weaknesses and software vulnerabilities continue to be the most common means by which cyber criminals carry out external attacks, only three airport Web sites received the best possible “A+” grade – meaning no single issue or misconfiguration.

Fifteen airports were rated “A” with only miniscule issues found, while a troubling 24 were found to have exploitable and publicly known security vulnerabilities, thus earning an “F” rating. A further 47 were found to have security vulnerabilities or several serious misconfigurations.

Commenting on the research, Ilia Kolochenko, CEO and founder of ImmuniWeb, said: “Given how many people and organisations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cyber security. Cyber criminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travellers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.”