Groupe ADP called on Yogosha and its hackers to test the cybersecurity of airport equipment. We spoke to its CISO, Eric Vautier.
Eric Vautier is Groupe ADP’s CISO; he is in charge of digital security at Paris-CDG, Paris-Orly and Paris-Le Bourget airports. Listening to him speak, it’s clear that it’s much more than a job, it’s a mission. Underneath his calm demeanor, the man is passionate about his field – aviation.
We spoke with him on the occasion of security tests carried out with the ethical hackers of the Yogosha Strike Force. We talked about cybersecurity and ethical hacking, but also digital transformation, smart airports and collaboration within the airport ecosystem. While the planes fly above the clouds, Eric Vautier is blue-sky thinking.
Groupe ADP, from New Delhi to Santiago
What is Groupe ADP? “Historically, it is the entity that manages the three airports around Paris: Paris-Charles de Gaulle, an international hub, Paris-Orly and Paris-Le Bourget for business aviation and sanitary flights” explains Mr. Vautier.
“The Groupe ADP also owns all the general aviation airfields around Paris. They are becoming increasingly important in the context of new mobility, particularly with eVTOL (Electric Vertical Take-Off and Landing). There are actually prototype tests in Pontoise.”
However, Groupe ADP is not limited to the borders of the Paris region, nor even to those of France. The CISO continues:
“Today, Groupe ADP has stakes in twenty-eight airports around the world – in Jordan, Chile, Croatia, Turkey, India… My role is for 95% on Parisian airports, and 5% on the rest of the group. These are exchanges of best practices, because the shareholding structure of each one and the very specifics of the airport model mean that no two airports are ever similar, and security measures are not applied in the same way.”
Aviation, a security continuum
It goes without saying that security is of the utmost importance in the airport industry, including within Groupe ADP.
“We’re in an area considered highly sensitive, so there’s an obligation on the part of the company to provide guarantees on the level of security in the broadest sense: physical security, aviation security and cybersecurity.” – Eric Vautier, Groupe ADP CISO
These three areas represent the “aviation security continuum”.
- Physical security represents the measures taken to protect passengers and airports from direct threats, such as armed attacks or intrusions.
- Aviation security encompasses all measures to reduce aviation risk. It is based on 5 pillars, such as air traffic or flight crew training. The French State Aeronautical Security Directorate has published a page on the subject (french only).
- Cybersecurity, last but not least, is the set of means implemented to ensure the security of information systems and data of airport activities.
As Yogosha’s core business is offensive security, the rest of this article will focus on the third pillar, cybersecurity. Nevertheless, it is important to know that it’s a brick that fits into a whole. A proper security is a global one, in the airport sector perhaps more than anywhere else.
Aviation, cybersecurity and regulations
It goes without saying that aviation is a highly regulated field – “you don’t make planes fly without a certain amount of certifications” insists Mr. Vautier. Cybersecurity is no exception to the rule. Under the supervision of the French DGAC and ANSSI (National Cybersecurity Agency of France), airports are governed by a number of regulations, both French and European, such as the recent NIS2 Directive, which shapes the digital security requirements in the EU.
“Before, we were an OES (Operator of Essential Services), now we’re an Essential Entity, that’s the new wording brought by NIS2. This applies to airports in general, and to Groupe ADP a fortiori since we are the largest airport complex in France, by far.” – Eric Vautier, Groupe ADP CISO
Compliance, “a lever to achieve real security”
However, “complying for compliance’s sake” is out of the question, warns the CISO. Down to earth, he doesn’t forget that complying with regulations is not an end in itself: the primary goal is the security of passengers and airport employees.
“It’s not the regulations that guarantee a proper level of cybersecurity, but they are still a good driver. At Groupe ADP, under my leadership, we’re trying to use compliance as a lever to achieve real security. We have requirements that set a horizon for us; cybersecurity is about trying to reach that horizon. But the subject is so broad that regulations cannot cover everything that needs to be done. We’re really in a societal transformation, not just a technology improvement.”
Digital transformation: “Internet didn’t bring much, everything was already in place”
All organizations are, at their own level, confronted with the issue of digital transformation. But how do you approach the subject in an environment as sensitive as an airport? How do you open a gateway to the cloud, even though reason dictates that you keep the gates closed? Groupe ADP’s CISO obviously asked himself this question long before us.
“First, you have to understand that we’re a very brick & mortar business. People have to come to the airport to be served. Therefore, culturally, we have a sensitivity to the proximity of equipment and a certain reluctance to go to the cloud, especially for a whole range of operational services. We need that proximity, to be able to say “if I have to get my hands on the server, I’ll get my hands on the server.”
Thus, the shift to the cloud is more about traditional business management, such as billing. “Support functions for airport operations, but not airport operations as such” summarizes Mr. Vautier, before adding:
“Airports are already highly interconnected. For example, we receive passenger information directly from the airlines, we don’t need to use the cloud for that. There has been a worldwide network called SITA (International Aeronautical Telecommunication Society, the acronym is inherited from the French) for a very long time. We have this internal network already meshed, and the arrival of the Internet ultimately didn’t add much to it since everything was already in place.”
Smart Airports, optimization through digital technology
By its very nature, the airport industry is ahead of other fields in terms of interconnection. But if digital technology has not revolutionized the sector, it allows to optimize the existing. Eric Vautier explains:
“We have a certain number of environmental constraints that, in a way, prevent us from expanding. So we need to optimize the airport’s physical infrastructure.
We’re talking about Smart Airport, just like Smart Cities or Smart Factories. This is a strong trend that consists, roughly speaking, of connecting everything we can to a supervision screen in order to have a holistic view of the airport.
We are trying to go further than ordinary management, with incident management for example. If a group of elevators stops working, it will disrupt the flow of passengers. Perhaps they will arrive late, and cause the flights to be late. Similarly, if there is snow, passengers will have difficulty reaching the airport. It’s the butterfly effect. With the Smart Airport, we’re trying to have as many sensors as possible to centralize, analyze and optimize airport operations.“
While Mr. Vautier sees the benefits of the connected airport in a positive light, the CISO he is tempers his position. The sharing of data raises intrinsic questions about digital security, which he must address. “Inevitably, as a CISO, we take on the negative role – that of saying, ‘Be careful, what do you want to put out there? Let’s think about it first.’ We have regalian obligations regarding security, so we can’t put everything in the cloud.“
As you probably guessed, Eric Vautier always keeps a close eye on the group’s security, down to the smallest details. For example, some of the airport’s equipment was recently given special treatment. In order to test their security, the Groupe ADP’s CISO called on the ethical hackers of the Yogosha Strike Force.
Physical equipment, attack vectors to be secured
There is a plethora of equipment in an airport. Baggage handling systems, sensors in the parking lots, connected devices everywhere. And of course, where there is connectivity, there must be cybersecurity. Here, as elsewhere, the group’s CISO advocates zero risk.
“Today, all this equipment is connected to the network, to gather statistics, make adjustments, compile operational data. We obviously do what we have to do in terms of segmentation, but it’s still a network with potential weaknesses. Each piece of equipment must therefore have built-in security. We cannot consider that a piece of equipment can be weaker because it’s on a secure network. Intellectually, it’s a form of Zero Trust model.“
“We wanted to have certainty about the intrinsic robustness of the equipment”
Recently, a round of security tests was conducted on “the security equipment that will be in service in a few years” explains Mr. Vautier.
“The idea of this session was to test the resistance of the equipment to a physical attack. They’re obviously not accessible to just anyone, but we have to consider all threats. We can imagine scenarios where people would try to access them and alter their functioning. So we wanted to be sure of the intrinsic robustness of the equipment.
There were two approaches. The first was purely physical, and the second was software oriented. These are not mere machines, and the embedded software must also be sturdy. In other words, we attacked from the hardware and firmware angle.”
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
Yogosha’s ethical hackers to test equipment security
To conduct these tests, Groupe ADP called on the Yogosha Strike Force, a community of vetted ethical hackers. A bold choice, which contrasts with the reticence that some large groups may still have towards ethical hacking. But Eric Vautier is not new to this: “For a long time already, the word “hacker” is no longer a scary one within Groupe ADP. We’ve already made use of them on several perimeters.“
Why this choice? “I could have called on a firm of pentesters, but the advantage of going through Yogosha was twofold” comments Mr. Vautier.
The Yogosha Strike Force, a direct access to a wide pool of skills
The ethical hacker community brings a diversity of skills to the table that allows for testing all kinds of environments. The argument is compelling: the more researchers there are, the more likely it is to find one with the right skills for the job. The Groupe ADP’s CISO confirms:
“The first interest we had in working with Yogosha was in sourcing. The panel of potential hackers was much wider than with others. We really wanted to test hardware, and through Yogosha, we managed to find talented people. The hackers found issues on all the equipment. The team was able to attack the hardware, but also the firmware. So we found vulnerabilities and areas of improvement on both dimensions.”
Working hand in hand with equipment manufacturers
It’s not enough to test the equipment, one must also work closely with the manufacturers. As the latter are less used to ethical hacking, “we had to take the time to explain and reassure” explains Mr. Vautier.
“Things were a little more unusual for the manufacturers. They are not used to doing this, and there was a natural concern when we told them what we wanted to do with their machines. Obviously, this creates a certain emotion…
There was a lot of discussion, which is very important. Groupe ADP has a desire to work in an ecosystem, not in confrontation. We didn’t do a penetration test to corner or coerce anyone. We did it to share knowledge, so that everyone could get something out of it.
We apparently succeeded in reassuring everyone, since all the manufacturers who lent equipment sent their experts to attend the tests and exchange with the hackers. It happened in a very good atmosphere.”
We could end this article here. To tell you that our hackers are exceptional, and that the tests were conclusive. But that would be missing the point. The important thing, as Mr. Vautier says, “is what you do afterwards; what you do with the results. And that was the second interest of working with Yogosha.“
Groupe ADP, player and leader in a global ecosystem
It’s important to understand that, by the very nature of their activities, airports are not isolated entities but rather links in a global ecosystem. There is a desire for collaboration at the heart of Groupe ADP’s activities, and of the vision of its CISO: “This is the world of aviation. We’re all interconnected, so we need to establish dialogues to be solid together. There’s no point in being solid alone.“
“We wanted to get the ball rolling”
A good cybersecurity is a total, cross-functional cybersecurity. It’s in the best interest of organizations to work together with their partners and their teams. Nevertheless, the specifics of each entity and the different regulations that apply don’t always make it easy. It’s this observation that led Groupe ADP to take a step towards equipment manufacturers.
“These tests were an opportunity to start a more upfront and transparent collaboration with the equipment manufacturers. The difficulty we have in this area is that any change made to a piece of equipment requires a new certification cycle. It’s a very long process, and that’s one of the things we wanted to get the ball rolling on.
How can we separate the firmware from the certification? If you can prove that the modification doesn’t affect the security target, there is no need to recertify. But some manufacturers are not in this frame of mind, and they bring in hardware and just say that it is certified as is. So there is a strong area of improvement on the embedded base, so that we can more easily modify equipment if vulnerabilities are discovered. My ambition is to establish a dialogue around these issues.“
Similarly, the evolutions designed by equipment manufacturers do not always keep pace with the needs of airports.
“Historically, these devices were not connected. If you took an older generation X-ray, the camera was plugged directly into it and that was it. There was no need for interconnection. But today, airports need to put equipment on the network to optimize their operations.
However, equipment manufacturers are reluctant to have their equipment connected to the network. These issues have been discussed for years, but answers are still not forthcoming. It’s essential to establish a dialogue to change mindsets around what has become a societal issue.”
“Groupe ADP’s work is universal, so we make it available”
True to this collaborative approach, the Group ADP CISO wants to share the results of the tests conducted with Yogosha with the entire airport community.
“These tests have allowed us to draw up a list of penetration test requirements that will be considered to be passed by future equipment. This list is going to be made public – as generic results, of course. It will be my basis for tendering for certain equipment, and we will share it with the airport community. Everyone will be free to use it. That’s part of my philosophy: things have to be put on the table as early as possible so that everyone can prepare. The Groupe ADP’s work – if it’s done well – is universal, so we’re making it available.”
Towards a mutualization of airport security testing?
As you can see, Eric Vautier is looking beyond the scope of Groupe ADP. Within the airport community, he aspires to a real pooling of security efforts.
“The entire airport community has the same issues I do: how do you qualify these pieces of equipment in terms of cybersecurity? The reality today is that each airport is paying for tests on the same equipment, and each in its own backyard. There is something absurd about this, and we all agree. We have this problem in France, and it is amplified on a European scale.
I’m going to dream for 5 minutes, but we could very well imagine a mutualization of airport security tests and results, and define a de facto standard in terms of cybersecurity. We can imagine this well beyond Groupe ADP, through associations such as the Union of French Airports (UAF) or that of European airports, ACI Europe.”
Beyond ethical hackers, it is for its collaborative potential that the CISO selected the Yogosha platform.
“Another criterion that motivated our choice was our desire to make the platform our referencing platform, i.e. for security testing as part of our future calls for tenders.
We could even imagine the Yogosha platform as a reference system used in two, five, twenty airports. We would publish a list of requirements, and each manufacturer could “challenge” itself against the criteria of the calls for tenders. This could lead to a form of pre-qualification through the platform, with positive or negative test results proving coverage with respect to the requirements.”
Eric Vautier’s vision has the beauty of great ideas: it’s simple yet ambitious. Under the impetus of companies like Groupe ADP, the entire airport ecosystem could gain in security through collaborative solutions like the Yogosha platform. Aviation already has its players, now it’s about building a team and finding a pitch. So, shall we play?