Florian Frech
Florian Frech

Mr Frech, have you always been drawn to flying?

Florian Frech: Not exactly. I’ve always lived nearby and could see the planes, but the fascination only really began once I started working at the airport. And once it grabs you, it never lets go.

You are the head of IT Strategy and Governance at Stuttgart Airport. What does that involve?

My team and I are responsible for cyber and information security throughout the airport. That includes security policies, handling security incidents, regulatory compliance, and much more. We also oversee fundamental IT planning and change management.

An airport is essentially a high-security zone, so that must be quite challenging.

It is, but it’s also incredibly diverse work. Passengers notice all the physical security measures in place—from cameras to metal detectors and x-ray machines—but behind the scenes, a host of interconnected IT systems keep everything running smoothly. And it’s essential to secure these and many other systems digitally. And then there are the many partners who need to work seamlessly together, including authorities, airlines, and the various businesses based at the airport. We support them all to help ensure secure processes throughout.

Given all these challenges, how do you organise IT at an airport?

Because our operations are so critical, we make sure all essential systems are built with redundancy from the ground up. If one component fails, passengers usually don’t notice. Even if an entire system goes down, we have fallback scenarios—whether that means restoring the system, switching to emergency operations, or even going analogue.

Which systems are you referring to specifically?

All the systems used for passenger handling—check-in counters, self-bag drop, the baggage conveyor system, and many more. Security checks are the responsibility of the authorities, but in principle, every step of the passenger journey is supported by IT systems. Even take-off and landing, including runway lighting—which must never fail—depend on these systems.

Does that include what happens in the control tower?

No. As we like to joke: “We do everything except the flying”. That’s the responsibility of German air traffic control. It’s our site, and we work closely together, but we don’t give pilots clearance for take-off or anything like that.

Airports are often targeted by cyberattacks. Why is that?

Airports are highly visible, just like federal authorities or energy providers. If you disrupt a country’s air traffic, you disrupt its infrastructure and operations—and attackers aim to unsettle society as a whole. That’s why we’re in the spotlight, especially during events of global political significance. We saw this ourselves at the start of the war in Ukraine, when the number of cyberattacks targeting us rose significantly 

How do you and your team identify cyberattacks?

Our IT security experts work closely with Bechtle’s Cyber Defence Centre. We bring together data from a wide range of systems, correlate and analyse it to detect anomalies as early as possible so we can respond quickly. As an airport, security—both digital and physical—is part of our DNA.

Cybersecurity is like fire safety. We do everything we can to prevent a fire, but if one does break out, we have smoke detectors and other protection systems to contain it quickly.

Florian Frech

Florian Frech

One attack vector that’s used particularly often is what’s known as a DDoS attack …

That’s something we’ve experienced ourselves. The airport’s website has been targeted several times in the past. The aim is to cause visible disruption to operations. Passengers and those picking people up suddenly can’t access online flight information, but we are well-prepared for these kind of attacks. The website is completely separate from our operationally critical infrastructure, so attacks can never affect other IT systems at the airport.

So, that means the data is brought together in the SOC, but the systems themselves remain separate?

Basically, yes. Our cyber defence strategy consists of multiple systems, processes and roles that go far beyond just technology like firewalls and endpoint protection. We connect systems and data, and enrich them with the help of AI, allowing us to detect anomalies quickly and, in some cases, respond automatically.

That can’t be an easy task given the sheer volume of data.

It really isn’t. Bechtle supports us with the SIEM system we use and by helping us apply specific use cases to the data so we can identify meaningful correlations. Once a certain threshold is reached, it becomes critical—and that’s when the figurative alarm bells start ringing. All incoming data is automatically filtered and prioritised, so administrators receive the most relevant information in a clear and accessible format. It’s then up to people to make the key decisions.

But often, cybercriminals lurk in a company’s IT systems for weeks or even months, spreading throughout the network without being noticed.

That’s right. This is what we call lateral movement. Ideally, we detect an attack at the point of entry, but if that fails, our goal is to identify it as quickly as possible once it’s inside the system. I like to compare it with fire safety. We do everything we can to prevent a fire, but if one does break out, we have smoke detectors and other protection systems to contain it quickly. Fire doors are a great example—in IT, they’re like isolating our systems. You can get so far, but no further.

The classic triad of prevention, detection, and response?

Yes, but these days we’re investing more resources in detecting and responding to attacks. We obviously want to prevent as many attacks as possible, but like other companies, we’ll never be able to stop all of them, which is why detection and response are so important. Our lines of defence are now far more advanced than they used to be.

You said it’s so much more than just technology.

That’s right. Let’s say I need to shut down my IT systems because of an attack. That raises a whole series of questions: How do I inform the staff? By e-mail? Impossible. Via the intranet? Also not an option. The phone list? Probably stored on the intranet somewhere. You have to think carefully about these processes. The key consideration is always: “How can I restore operations as quickly as possible, and how can I ensure a smooth transition from emergency mode back to normal business operations?”

That raises the question of backups—do they exist, and where are they kept?

Absolutely. We have dedicated IT contingency plans in place for various scenarios that we practice regularly. Restoring backups is one of them. Having a backup is one thing; being able to restore it successfully is quite another.

If we could just take a step back for a moment. Let’s talk about NIS2. This new regulation, of course, also applies to Stuttgart Airport.

Exactly. We already have an information security management system (ISMS) in place and, as an airport, we’re subject to a wide range of additional regulations. NIS2 raises the bar even further and requires us to take an even more holistic approach to compliance. Whereas our ISMS previously focused on areas such as aviation security, energy supply, or ground handling processes, we’re now consolidating all these aspects into one place.

That sounds like a huge amount of work, doesn’t it?

It is, but NIS2 is the right step and absolutely essential. There’s still some debate in Germany about how certain aspects of the regulation should be implemented, but cybersecurity is so crucial that NIS2 is absolutely the right move. After all, IT security and operations are at the heart of every organisation. If IT systems fail, things quickly get complicated—or in the worst case, everything comes to a standstill.

And yet, there has been a lot of grumbling about the increase in red tape …

For me, the priority is clear. We need to achieve real cybersecurity first, and then make sure we meet the regulations—not the other way around. Still, the additional effort required for documentation and audits clearly highlights the bureaucratic downsides of such regulations. In my view, there should be ways to ease the burden. For instance, by recognising equivalent certifications across different scopes.

What are some key focus areas for the future at Stuttgart Airport?

One key focus will continue to be holistic cybersecurity. We’re now thinking beyond traditional IT and moving into the realm of operational technology (OT), which includes things like networking and securing baggage handling systems or building management technology. Nowadays, every device is connected to the network, which makes all of them potential targets in a cyberattack. These systems work very differently; you can’t just shut them down for updates, as they have to run 24/7. The second, even bigger project is called “STRzero”, which is our goal to become a climate-neutral airport by 2040. Not through certificates, but truly net zero by reducing emissions on site. That involves major reconstruction work, almost on the scale of building a new terminal—everything new, everything even more connected. And we need to secure all of that, too.

To implement all these cybersecurity initiatives, you also need backing from the very top, right?

It’s absolutely essential. Many senior managers still see IT security as an expense first and foremost, but fortunately, that isn’t the case here. Of course, IT security comes at a price, but it’s a fundamental requirement for doing business.  Cybersecurity is a core responsibility and a top management priority. If decision-makers still see things differently, I’d urge them to listen to those who have experienced an attack first-hand. When you hear them describe how the breach happened and what it meant for their organisation, you begin to understand the true impact of a real cyber incident.