Guarding the Skies: How Cyber Resilience Keeps Airports Safe

In an industry where every second of uptime can mean the difference between safety and chaos, cybersecurity in aviation isn’t optional—it’s existential. In this exclusive conversation with CISO Forum, Neehar Pathare, Managing Director, CEO & CIO of 63SATS, delves into the complex cybersecurity landscape underpinning aviation and airport operations. He emphasizes that the modern CISO’s role goes far beyond protecting data—it’s about safeguarding the interconnected web of operational technologies that keep airports running: from air traffic systems to fuel management and baggage handling.

He outlines a pragmatic framework for building cyber resilience through segmentation, zero-trust Security, and recovery readiness, while also emphasizing the importance of trust, compliance, and innovation by design. As AI-driven threats rise and operational systems become increasingly connected, Pathare makes a compelling case for unifying governance, automation, and human preparedness—transforming cybersecurity into a strategic enabler of safe, efficient, and intelligent aviation.

CISO Forum: In a sector where operational continuity is critical, how do CISOs address cyber risks across aviation and airport services?

Neehar Pathare:  In aviation, operational continuity isn’t just a business goal; it’s a core safety imperative. The primary challenge is the deep convergence of Information Technology (IT) and Operational Technology (OT). We’re no longer just protecting data; we’re also safeguarding critical physical systems, including baggage handling, air traffic control, runway lighting, and fuel management.

The CISO’s approach must be built on cyber resilience:

• Deep Segmentation: We must strictly segment critical OT networks from the corporate IT environment and the public-facing internet. This prevents a breach in one area (like guest Wi-Fi) from cascading into a critical operational system.
  
• Zero Trust for OT: Assume a breach is possible. Every connection request to a critical system must be authenticated and authorized, regardless of whether it’s “internal” or “external.”

• Resilience and Recovery: Because you cannot always patch OT systems (which may require a complete system shutdown), the focus shifts to rapid detection and recovery. We must have well-practiced playbooks to isolate a compromised system and failover to redundant controls immediately, ensuring the airport continues to function safely.

CISO Forum: How does protecting passenger and operational data support both trust and operational efficiency in highly regulated environments?

Neehar Pathare: This is a dual-pillar strategy.

• Protecting Passenger Data (PII): This is the foundation of trust. Passengers exchange their personal data (passport info, travel itineraries) for a service. A breach of this data critically erodes public confidence in the airline or airport, leading to brand damage and severe regulatory penalties (like GDPR). Robust data encryption, strict access controls, and data minimization are non-negotiable.

• Protecting Operational Data: This is the key to efficiency and safety. Imagine the impact of corrupted data for flight manifests, maintenance logs, or cargo weight and balance. It could ground an entire fleet or, worse, create a direct safety risk. Protecting the integrity of this data ensures that operations run smoothly, on time, and, most importantly, safely.

In a regulated environment, strong data protection is also a competitive advantage. It demonstrates maturity and stability to partners and regulators alike.

CISO Forum: What frameworks are effective in managing cyber risk across multiple airport facilities or operational sites?

Neehar Pathare: A “one-size-fits-all” framework doesn’t work. The most effective strategy is a hybrid, risk-based model that combines centralized governance with decentralized execution.

• Centralized Governance: A central team should establish the “what” and “why” using a standard framework, such as the NIST Cybersecurity Framework (CSF). It provides a common language—Identify, Protect, Detect, Respond, Recover—that all facilities can understand and map to.
  
• Decentralized Execution (IT): For IT systems (booking, corporate email), ISO 27001 is excellent for building a robust Information Security Management System (ISMS) that can be certified and audited across sites.
  
• Decentralized Execution (OT): For the critical operational technology, the ISA/IEC 62443 series is the gold standard. It is purpose-built for Industrial Control Systems (ICS) and helps each facility apply specific controls relevant to its unique machinery and risk profile.

This federated model allows a central CISO to manage an aggregate risk score while empowering local teams to address specific, on-the-ground threats.

CISO Forum: How can innovation in passenger services be balanced with stringent security and compliance requirements?

Neehar Pathare: Innovation and Security must be partners, not adversaries. The “move fast and break things” mentality is unacceptable in critical infrastructure.

The balance is achieved through “Security by Design” and a DevSecOps culture.

Embed Security Early: Security teams must be involved from the inception of a new service (such as a biometric boarding app or a new IoT-based baggage tracker), not just at the final testing phase. This “shift-left” approach identifies and mitigates risks when they are cheapest and easiest to fix.

1. Risk-Based Controls: Instead of applying a blunt, “maximum-security” policy to everything, we use controls proportionate to the risk. A new digital information kiosk has a different risk profile than an app that touches the flight control system.

• Secure API Gateway: Most new passenger services are built on APIs. A robust API security strategy—focusing on authentication, rate limiting, and anomaly detection—is essential to enable innovation without exposing the core systems behind it.

CISO Forum: Which metrics or KPIs best capture the effectiveness of cybersecurity initiatives in critical infrastructure sectors?

Neehar Pathare: Vanity metrics, such as “number of attacks blocked,” are useless. In critical infrastructure, the most meaningful KPIs are tied to resilience and operational uptime.

• Mean Time to Recover (MTTR): This is the most critical KPI. When an incident occurs, how fast can we restore full, safe operations? This is the ultimate test of resilience.
  
• Mean Time to Detect (MTTD): How long does an adversary dwell in our network before we find them? The faster we detect, the less damage they can do.
  
• Percentage of Critical Asset Visibility: You cannot protect what you cannot see. This KPI measures the percentage of our critical OT and IT assets that are fully monitored by our security tools.
  
• Patching/Vulnerability Cadence: For systems that can be patched, what percentage of critical vulnerabilities are remediated within the defined SLA?
  
• Control Efficacy Score: We measure effectiveness using Breach and Attack Simulation (BAS) tools. How often did our controls (EDR, firewall, etc.) actually stop a simulated real-world attack?

CISO Forum: How are teams being prepared to anticipate and respond to emerging threats, including AI-driven attacks on critical infrastructure?

Neehar Pathare: AI is a dual-use tool. Attackers are using it, and so must we.

• Threats from AI: We are preparing for AI-driven threats, including hyper-realistic deepfake voice calls for social engineering, polymorphic malware that rewrites itself to evade detection, and AI-powered swarm attacks that can identify vulnerabilities faster than any human team.

Our Preparation Strategy:

1. AI for Defense: We are implementing AI and Machine Learning in our own Security Operations Centers (SOCs). These tools are essential for detecting anomalies and subtle patterns in network traffic that signal a sophisticated attack, which a human analyst might miss.

• Training the “Human Firewall”: The human element remains key. We are moving beyond simple phishing drills to advanced simulations that train staff to recognize AI-driven social engineering (like deepfake audio).

• Resilience-Based War Gaming: We run regular “war game” scenarios based on these emerging threats. We assume the AI-driven attack will breach our perimeter and test our response playbook. The goal is to build muscle memory for rapid containment and recovery.

CISO Forum: How do your solutions help enterprises address current cybersecurity challenges while balancing risk, compliance, and operational efficiency?

Neehar Pathare:  Enterprises are caught in a tricky balancing act: they must defend against a rapidly evolving threat landscape, navigate a complex web of compliance mandates, and maintain perfect operational efficiency. Our solutions are designed to address this trifecta directly.

• To Manage Risk: We provide [e.g., a unified threat intelligence platform / advanced breach detection solutions] that move beyond simple prevention. We provide CISOs with real-time visibility into their entire attack surface—from IT to OT—enabling them to prioritize vulnerabilities that pose a genuine business risk, not just a theoretical one.

• To streamline compliance, our [e.g., automated GRC (Governance, Risk, and Compliance) module/compliance reporting tool] helps enterprises map their controls across multiple frameworks, such as NIST, ISO, and PCI, simultaneously. Instead of costly, manual audits, we automate evidence collection, turning compliance from a periodic scramble into a continuous, verifiable state.

• To Drive Operational Efficiency: Our solutions [e.g., leverage AI and SOAR (Security Orchestration, Automation, and Response)] to automate the low-level, repetitive tasks that burn out security teams. By automatically investigating and neutralizing common alerts, we free up highly-skilled analysts to focus on complex, strategic threats, effectively doing more with less and reducing the MTTR.

Ultimately, we help organizations mature from a reactive to a proactive and predictive cyber resilience posture. (This is a customizable template for you to adapt using your company’s specific product/service names.)