Airport Cybersecurity: Essential Guide for Part 139 Facilities and FBOs

Quick Answer

Airport cybersecurity (also called airport cyber security) protects critical aviation infrastructure—navigation aids, airfield lighting, access control, and operational technology systems—from cyber threats while meeting TSA compliance requirements. Unlike generic IT security, airport cybersecurity must balance safety, security, availability, and regulatory compliance simultaneously. Key priorities include network segmentation between IT and OT systems, multi-factor authentication, continuous monitoring, and risk-based patch management for systems that can't tolerate downtime.

Introduction: Why Airport Cybersecurity Is Different

If you manage an airport—Part 139 facility, general aviation airport, FBO—you've heard the drumbeat. TSA requirements. FAA guidance. Headlines about ransomware hitting aviation facilities.

Here's what generic cybersecurity advice gets wrong: airports aren't office buildings with fancier equipment.

Your runway lighting system doesn't care about protecting spreadsheets. Your ILS doesn't store customer data. But if either goes down during low-visibility operations, you have a safety emergency. That's the difference.

Generic IT security focuses on confidentiality—keeping data private. Airport cybersecurity focuses on availability—keeping critical systems running. When IT consultants walk in talking about automatic patching and scheduled reboots, they're thinking about computers. You're thinking about systems that aircraft depend on.

I spent 16 years as an FAA Electronic Engineer and 7 years as an Air Traffic Support Specialist, maintaining ILS and navigation aids. Before that, 17 years in military avionics. I've seen what happens when someone tries to apply office IT security to systems that were designed before cybersecurity existed. It doesn't work.

This guide covers airport cyber security specifically—not generic advice with aviation buzzwords added. Whether you're starting from scratch or trying to make sense of TSA requirements, we'll cover what actually matters for your facility.

Why Airports Face Unique Cybersecurity Challenges

Before we get into solutions, let's talk about why airport cybersecurity needs a different approach.

The IT/OT Convergence Problem

IT security protects confidentiality. OT security protects availability. That's the core tension.

Your email server stores sensitive data. If it goes offline for an hour while you patch it, people are annoyed but safe. Your runway lighting controls don't store sensitive data, but if they go offline during operations, aircraft can't land safely.

Traditional IT security practices—automatic updates, frequent reboots, aggressive patching—assume you can afford downtime. Airport OT systems can't. Apply office IT security to your ILS monitoring system, and you might take navigation aids offline. That's not acceptable.

Airport cybersecurity balances four things at once:

• Safety - Systems must operate reliably

• Security - Systems must resist cyber threats

• Availability - Systems must be accessible when needed

• Compliance - Systems must meet regulatory requirements

Generic IT consultants optimize for one or two. You need all four.

Legacy Systems Are Everywhere

Walk through any airport's technical infrastructure. Is that SCADA system controlling the fuel farm? Installed in 2005. Serial connections to navigation aids? Designed in the 1990s.

These systems work. They're reliable. But they weren't designed with cybersecurity in mind. Many run operating systems that haven't received security updates for years. Some use protocols that send data in clear text. Others have default passwords that can't be changed without breaking something.

You can't replace everything—the cost would be astronomical, and operationally, the systems are fine. Airport cyber security means protecting systems that can't be secured through traditional methods.

Infrastructure Spread Across Geography

Corporate offices put everything in one building. Airports spread infrastructure across hundreds of acres. Your ILS equipment sits at the runway approach end. Weather sensors are positioned around the airfield. Remote transmitter buildings might be miles from the terminal.

Each location needs connectivity, physical security, and cyber protection. Each is a potential entry point. Each has environmental constraints that limit what security measures work.

Regulatory Complexity You Can't Ignore

Airports operate under multiple frameworks that don't always align:

• TSA - Security directives and cybersecurity requirements

• FAA - Part 139 certification, Part 171 navigation aids, and upcoming cybersecurity rules

• State and local - Various requirements depending on jurisdiction

Meeting one doesn't automatically satisfy the others. The landscape keeps evolving—FAA cybersecurity rulemaking is coming and will add new requirements.

Your cybersecurity program needs to satisfy current requirements while staying flexible for what's next.

Critical Airport Systems That Need Protection

Let's look at the specific systems that need cybersecurity attention. You can't protect everything equally—understanding what you're protecting helps you prioritize.

Navigation Aids

ILS, VOR, DME, NDB—these systems enable aircraft to find and land at your facility, especially when visibility is poor.

Historically, navigation aids operated in isolation. Modernization has connected many to IP networks for remote monitoring, maintenance, and data collection. That connectivity creates exposure.

Key vulnerabilities:

• Serial-to-IP converters lacking authentication

• Remote monitoring systems with default credentials

• Network connections bypassing security controls

• Legacy protocols transmitting unencrypted data

Why it matters: Compromised navigation aids could feed false information to aircraft or disrupt operations during critical flight phases. Even if attackers can't manipulate the signal directly, disrupting monitoring forces manual inspection and potentially leads to shutdowns.

For detailed coverage of navigation aid security, see our companion article on ILS and Navigation Aid Cybersecurity.

Airfield Lighting Systems

Modern airfield lighting—runway lights, taxiway lights, PAPI, and approach lighting (ALS, MALSR)—increasingly uses computerized controls: remote operation, dimming, and integration with other systems.

Key vulnerabilities:

• Control systems connected to airport networks

• Remote access for maintenance and operations

• Integration creates lateral movement paths

• Older systems with unpatched software

Why it matters: Airfield lighting is essential for safe operations at night and in low visibility. Ransomware turning off lighting controls forces airport closure.

Weather Systems

ASOS, AWOS, and related weather systems provide critical operational information. Network connectivity for data distribution and remote maintenance creates exposure.

Key vulnerabilities:

• Network connectivity for data transmission

• Remote access for calibration and maintenance

• Integration with flight information systems

• Sensor networks across the airfield

Why it matters: Weather information directly affects flight safety decisions. Manipulated data leads to dangerous choices. Even simple disruptions lead to less accurate backup procedures.

Access Control and Security Systems

Badge readers, gates, door controllers—inherently networked. Video surveillance depends on network infrastructure.

Key vulnerabilities:

• Large attack surface (many devices, many locations)

• Integration with building systems

• Remote management interfaces

• Legacy systems with known vulnerabilities

Why it matters: Access control systems protect the entire facility. Compromise enables physical breaches, turns off monitoring, or gives attackers intelligence about security operations.

Baggage Handling Systems

For commercial airports, baggage handling represents complex, networked industrial control: conveyors, sorting equipment, screening integration, and tracking systems.

Key vulnerabilities:

• Industrial control with legacy components

• Integration with TSA screening systems

• Real-time requirements limiting maintenance windows

• Complex vendor relationships

Why it matters: BHS disruptions directly affect operations and the passenger experience. The 2024 Southwest holiday meltdown showed how OT failures cascade into massive disruptions.

Fuel Systems

Airport fuel farms increasingly use SCADA for monitoring and control: tank levels, pump operations, and distribution.

Key vulnerabilities:

• SCADA with legacy components

• Remote monitoring and control

• Safety system integration

• Vendor remote access for maintenance

Why it matters: Fuel disruption halts operations. Safety incidents create serious hazards. Fuel systems often connect to financial systems for billing, creating additional exposure.

Flight Information Display Systems (FIDS)

FIDS show flight information throughout terminals. Simple displays that connect to airline feeds, operational systems, and content management platforms.

Key vulnerabilities:

• Network connectivity for data feeds

• Content management interfaces

• Integration with multiple external systems

• Often lower security priority despite visibility

Why it matters: FIDS compromise has been seen in several high-profile incidents. Attackers display political messages, fake emergencies, and offensive content. Beyond embarrassment, this demonstrates network access.

Business and Administrative Systems

Email, financial systems, employee records, operational databases. These face the same threats as any business, but with additional implications.

Key vulnerabilities:

• Standard IT vulnerabilities (phishing, ransomware, etc.)

• Integration with operational systems

• Sensitive data (employee information, security plans)

• Vendor and contractor access

Why it matters: Business system compromises can spill over into operational systems. Ransomware, starting in email, spreads to control systems. Stolen security procedures benefit adversaries.

Understanding TSA Cybersecurity Requirements

TSA issued cybersecurity requirements through Emergency Amendment EA 23-01 in March 2023. These apply to TSA-regulated airport operators and establish baseline expectations.

The Four Core Requirements

1. Network Segmentation

Develop policies and controls to ensure operational technology systems can continue operating safely if information technology systems are compromised, and vice versa.

What this actually means:

• Separate OT networks from IT networks

• Implement firewalls between segments

• Control traffic between zones

• Isolate critical systems

2. Access Control

Create measures to secure and prevent unauthorized access to critical cyber systems.

What this actually means:

• Implement multi-factor authentication

• Use individual accounts (no shared credentials)

• Apply the principle of least privilege

• Manage vendor and contractor access

• Remove access promptly when no longer needed

3. Continuous Monitoring

Implement policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies.

What this actually means:

• Deploy security monitoring tools

• Collect and analyze logs

• Establish alerting for suspicious activity

• Monitor OT systems appropriately (without disrupting operations)

4. Patch Management

Reduce exploitation risk by applying security patches promptly using a risk-based methodology.

What this actually means:

• Inventory systems and software

• Track available patches

• Test before deploying to critical systems

• Apply patches on a risk-prioritized schedule

• Document exceptions for systems that can't be patched

Implementation Plan Requirements

Beyond the four requirements, airports must develop a Cybersecurity Implementation Plan (CIP) documenting how they'll achieve and maintain compliance.

The plan must include:

• Cybersecurity policies and procedures

• Roles and responsibilities

• Technical control implementations

• Testing and audit procedures

• Incident response procedures

For detailed coverage of TSA requirements, see our companion article, TSA Cybersecurity Requirements for Airports.

Building Your Airport Cybersecurity Program

Now let's talk about actually implementing this. Here's a practical roadmap you can adapt to your facility's size, resources, and risk profile.

Phase 1: Assessment and Planning (Months 1-2)

Before buying security tools, understand your current state.

Asset Inventory

Create a comprehensive inventory of everything that connects to networks or processes digital information:

• What systems do you have?

• Where are they located?

• How do they connect?

• Who maintains them?

• What data do they process?

This sounds basic. Many airports lack complete, accurate inventories. You can't secure what you don't know exists.

Network Mapping

Document your network architecture:

• How are networks segmented (or not)?

• What traffic flows between segments?

• Where are external connections?

• What remote access exists?

Gap Assessment

Compare current state against requirements:

• TSA's four core requirements

• State or local requirements

• Industry best practices

• Your own risk tolerance

Identify gaps. Prioritize based on risk. Not all gaps are equally urgent.

Planning

Develop your Cybersecurity Implementation Plan:

• What will you implement?

• In what order?

• With what resources?

• On what timeline?

Be realistic about resources. A plan you can't execute helps no one.

Phase 2: Quick Wins (Months 2-3)

Start with high-impact, lower-effort improvements. Build momentum and address critical gaps.

Credential Hygiene

• Eliminate shared accounts

• Change default passwords

• Implement password requirements

• Remove unnecessary accounts

This costs nothing but time and immediately reduces risk.

Network Segmentation (Basic)

• Separate guest WiFi from internal networks

• Isolate critical OT systems where feasible

• Implement basic firewall rules

• Document what's connected to what

You don't need perfect segmentation immediately. Start with the most critical separations.

Access Control Improvements

• Enable MFA where available

• Review who has access to what

• Remove excessive permissions

• Establish access review procedures

Focus first on administrative accounts and critical systems.

Backup Validation

• Verify backups exist for critical systems

• Test that you can actually restore from backups

• Ensure backups are protected from ransomware

• Document recovery procedures

Backups are your last line of defense against ransomware.

Phase 3: Systematic Implementation (Months 4-12)

With quick wins complete, implement comprehensive controls systematically.

Network Segmentation (Comprehensive)

• Design a proper network architecture

• Implement VLANs for different system types

• Deploy firewalls between segments

• Configure traffic rules

• Document and test

This typically requires professional network engineering support.

Security Monitoring

• Implement log collection

• Deploy monitoring tools appropriate to your environment

• Establish alerting thresholds

• Create response procedures

• Consider managed security services if you lack in-house expertise

Monitoring only helps if someone acts on alerts.

Vulnerability Management

• Establish vulnerability scanning

• Create patch management procedures

• Test patches before deploying to critical systems

• Document exceptions and compensating controls

• Track remediation progress

OT systems require careful patch management to avoid disrupting operations.

Training and Awareness

• Train all staff on cybersecurity basics

• Provide role-specific training for technical staff

• Conduct phishing awareness training

• Test and reinforce regularly

People are both your greatest vulnerability and your best defense.

Phase 4: Continuous Improvement (Ongoing)

Cybersecurity isn't a project—it's a program—plan for continuous operation and improvement.

Regular Assessments

• Conduct periodic vulnerability assessments

• Perform annual program reviews

• Test incident response procedures

• Update risk assessments when things change

Metrics and Reporting

• Track security metrics

• Report to leadership regularly

• Demonstrate compliance with regulators

• Identify trends and areas for improvement

Program Maturity

• Expand capabilities over time

• Increase automation where beneficial

• Build security into change management

• Develop internal expertise

Common Airport Cybersecurity Challenges (And Solutions)

Based on working with airports of various sizes, here are the obstacles you'll likely face and how to address them.

"We Don't Have Cybersecurity Expertise"

Most airports lack dedicated cybersecurity staff. This is normal.

Solutions:

• Partner with consultants who understand aviation (not just generic IT security)

• Use managed security service providers for ongoing monitoring

• Send key staff to aviation cybersecurity training

• Join industry groups to learn from peers (AAAE, ACI-NA, ATCA)

• Start with what you can manage and build capability over time

You don't need to become experts. You need enough knowledge to make good decisions and manage qualified help.

"Our Systems Are Too Old to Secure"

Legacy systems are everywhere in aviation. You can't replace everything overnight.

Solutions:

• Compensating controls—if you can't patch the system, isolate it from networks.

• Network segmentation—put legacy systems on separate, monitored networks

• Physical security—some systems rely on physical access controls

• Enhanced monitoring—watch legacy systems more closely

• Plan for replacement—build modernization into capital plans

The goal isn't perfect security for every system. It's reducing overall risk to acceptable levels.

"We Can't Afford This"

Budget constraints are real, especially for smaller airports.

Solutions:

• Prioritize based on risk—address the most critical gaps first

• Phase implementation—spread costs over multiple budget cycles

• Use free and low-cost tools where appropriate

• Partner with other airports for shared services

• Apply for grants (DHS, state programs)

• Document compliance obligations—this is required, not optional

Some cybersecurity improvements cost nothing but time. Others are investments preventing much larger losses. Frame cybersecurity as risk management, not expense.

"We Can't Disrupt Operations"

Airports operate 24/7. You can't shut things down for security upgrades.

Solutions:

• Careful planning and change management

• Maintenance windows during low-traffic periods

• Phased implementations with rollback plans

• Test in non-production environments first

• Coordinate with all stakeholders

This is why airport cybersecurity requires aviation expertise. Generic IT approaches that assume you can reboot at any time don't work here.

"Our Vendors Won't Cooperate"

Many airport systems are maintained by vendors who resist security changes.

Solutions:

• Include security requirements in contracts

• Require security documentation from vendors

• Audit vendor access and practices

• Escalate to vendor management when needed

• Plan for vendor transitions if necessary

You're responsible for security even when vendors provide systems. Make security expectations clear and hold vendors accountable. Whether your team calls it cybersecurity or cyber security, the challenges are the same—protecting critical aviation infrastructure while maintaining 24/7 operations.

Preparing for Future Requirements

The regulatory landscape keeps evolving. Position your program for what's coming.

FAA Cybersecurity Rulemaking

The FAA is conducting cybersecurity rulemaking that will add requirements beyond current TSA mandates. Final rules aren't published yet, but you can prepare by:

• Building flexible, standards-based programs

• Documenting what you do and why

• Maintaining current asset inventories

• Establishing good security fundamentals

Organizations with mature programs adapt more easily to new requirements.

Increasing Threat Sophistication

Threat actors continue improving their capabilities. Ransomware groups specifically target organizations that can't afford downtime—like airports.

Prepare by:

• Building detection and response capabilities

• Testing incident response procedures

• Maintaining offline backups

• Developing relationships with law enforcement and information-sharing organizations

Technology Changes

Airport technology continues evolving. New systems bring new capabilities—and new security requirements.

When acquiring new systems:

• Include security requirements in specifications

• Evaluate vendor security practices

• Plan for secure integration

• Budget for ongoing security maintenance

Building security in from the start costs less than retrofitting later.

Getting Started: Your Next Steps

Feeling overwhelmed? That's normal. Airport cybersecurity is complex. But you don't have to solve everything at once.

Here's how to start:

Step 1: Assess Your Current State

Before you can improve, understand where you are. A gap assessment identifies your most critical vulnerabilities and helps prioritize.

You can conduct a basic self-assessment using available checklists and guidance. For thorough results, consider engaging qualified aviation cybersecurity expertise.

Step 2: Address Critical Gaps

Based on your assessment, address the most critical gaps first. Focus on:

• Issues that could cause safety impacts

• Clear compliance violations

• Easy wins that reduce significant risk

Don't try to fix everything at once. Prioritize and make steady progress.

Step 3: Build Your Program

Develop the policies, procedures, and capabilities for ongoing security management:

• Documented procedures

• Assigned responsibilities

• Regular activities (monitoring, patching, review)

• Incident response capabilities

Step 4: Maintain and Improve

Cybersecurity is ongoing. Plan for:

• Regular assessments and testing

• Continuous monitoring

• Program updates as requirements evolve

• Capability building over time

The Bottom Line

Airport cybersecurity is challenging but manageable with the right approach. The keys:

• Understand your unique environment—airport security isn't generic IT security

• Know your systems—you can't protect what you don't know about

• Prioritize based on risk—address the most critical issues first

• Build systematically—develop a real program, not point solutions

• Plan for the long term—cybersecurity is ongoing, not a one-time project

The airports succeeding in cybersecurity aren't necessarily the ones with the most significant budgets. They're the ones systematically approaching security, making consistent progress, and building programs that align with their actual operations.

Whether you're a large Part 139 hub or a small general aviation airport, the fundamentals are the same. Start where you are, use what you have, and make steady progress. That's how you build fundamental airport cybersecurity.

Take the Next Step

Not sure where your airport's cybersecurity gaps are?

Our free Airport Cybersecurity Quick Assessment helps you identify your most critical vulnerabilities in just 10-15 minutes. You'll receive:

• Overall risk level assessment

• Top vulnerabilities at your facility

• Priority recommendations

• Practical next steps

Take the Free Assessment →

No sales pitch. No obligation. Just a clear picture of where you stand and what to prioritize.

About the Author: With 28 years of aviation experience—including 17 years in military avionics, 16 years as an FAA Electronic Engineer, and 7 years as an Air Traffic Support Specialist specializing in navigation aids and airport ground equipment—I help airports understand and address their unique cybersecurity challenges. Learn more about Aviation Relations →

Related Articles:

• TSA Cybersecurity Requirements for Part 139 Airports

• Securing ILS and Navigation Aid Systems

• Aviation Cybersecurity Fundamentals