Florian Frech
Florian Frech

Flughäfen sind ein beliebtes Angriffsziel für Cyberkriminelle. Florian Frech erklärt warum: „Stört man den Flugbetrieb in einem Land, stört man die Infrastruktur, schafft Unsicherheit und bekommt Aufmerksamkeit. Deshalb sind wir im Fokus – gerade in Zeiten bedeutender weltpolitischer Ereignisse.“ Ein beliebter Angriffsvektor sind sogenannte DDoS-Attacken, mit denen zum Beispiel Unternehmenswebseiten oder deren IT-Services gestört werden sollen. Aber auch Ransomware-Angriffe, die im schlimmsten Fall die komplette IT eines Unternehmens lahmlegen können. 

Wir benötigen Ihre Zustimmung, um den Podcast abspielen zu können.

An dieser Stelle finden Sie interaktive Podcast-Inhalte, welche über unseren Dienstleister Podigee eingebunden sind. Um Ihnen diese Inhalte zur Verfügung zu stellen, benötigen wir Ihre Zustimmung. Weitere Informationen zur Datenverarbeitung im Rahmen der Podcasts finden Sie in unserer Datenschutzerklärung

Einstellungen Zustimmen

Um den Flughafen und damit auch die Passagiere möglichst umfangreich zu schützen, setzen Florian Frech und sein Team auf „ein ganzheitliches Cyberabwehr-Konzept, aus aufeinander abgestimmten Systemen, Prozessen und Rollen.“ Das Security Operations Center gehe weit über Technologien hinaus: „Wir verbinden Systeme und Daten und reichern sie unter anderem mit Unterstützung von KI weiter an. So erkennen wir Anomalien früher und können automatisiert reagieren." 

Dabei enden die Sicherheitsüberlegungen schon lange nicht mehr bei der klassischen IT, sondern ziehen sich inzwischen auch bis hinein in die OT- bzw. Anlagensicherheit. Diesen Themen kommt eine immer größer werdende Rolle zu – auch aufgrund der Regulatorik. Mit NIS2 kommt auf den Flughafen Stuttgart einiges zu. „Das erweitert den Scope und verpflichtet uns, Dinge noch ganzheitlicher für den Flughafen zu betrachten“, erklärt Florian Frech. Er hält das neue, europaweit gültige Regelwerk für „wichtig und sinnvoll“. Für ihn ist „Cybersicherheit so entscheidend, dass NIS2 der richtige Schritt ist. IT-Sicherheit und der IT-Betrieb sind ein Herzstück eines Unternehmens.“ Auch deshalb folgt er bei allen Security-Maßnahmen einer Maxime: „Wir wollen echte Cybersicherheit schaffen und daneben noch Verordnungen erfüllen – und nicht andersherum.“ 

Hören Sie jetzt hinter die Kulissen eines Flughafens und erfahren Sie, wie Cybersicherheit dort gemanagt wird. 

Alle Podcast-Folgen

Cybersicherheit ist wie Brandschutz: Wir tun alles dafür, dass es nicht brennt, aber wenn es doch geschieht, haben wir Rauchdetektoren und andere Brandschutzmaßnahmen, um das Feuer schnell einzudämmen. Auch durch eine Brandschutztür. Bis hierhin und nicht weiter. Das trifft auch auf das Digitale zu.

Florian Frech

Florian Frech

Zur Person.

Florian Frech ist Leiter IT-Strategie und Steuerung am Flughafen Stuttgart. Er verantwortet die Informations- und IT-Sicherheitsstrategie, koordiniert Schutzmaßnahmen gegen Cyber-Bedrohungen und treibt Digitalisierungsprojekte im kritischen Infrastrukturumfeld voran.

One attack vector that’s used particularly often is what’s known as a DDoS attack …

That’s something we’ve experienced ourselves. The airport’s website has been targeted several times in the past. The aim is to cause visible disruption to operations. Passengers and those picking people up suddenly can’t access online flight information, but we are well-prepared for these kind of attacks. The website is completely separate from our operationally critical infrastructure, so attacks can never affect other IT systems at the airport.

So, that means the data is brought together in the SOC, but the systems themselves remain separate?

Basically, yes. Our cyber defence strategy consists of multiple systems, processes and roles that go far beyond just technology like firewalls and endpoint protection. We connect systems and data, and enrich them with the help of AI, allowing us to detect anomalies quickly and, in some cases, respond automatically.

That can’t be an easy task given the sheer volume of data.

It really isn’t. Bechtle supports us with the SIEM system we use and by helping us apply specific use cases to the data so we can identify meaningful correlations. Once a certain threshold is reached, it becomes critical—and that’s when the figurative alarm bells start ringing. All incoming data is automatically filtered and prioritised, so administrators receive the most relevant information in a clear and accessible format. It’s then up to people to make the key decisions.

But often, cybercriminals lurk in a company’s IT systems for weeks or even months, spreading throughout the network without being noticed.

That’s right. This is what we call lateral movement. Ideally, we detect an attack at the point of entry, but if that fails, our goal is to identify it as quickly as possible once it’s inside the system. I like to compare it with fire safety. We do everything we can to prevent a fire, but if one does break out, we have smoke detectors and other protection systems to contain it quickly. Fire doors are a great example—in IT, they’re like isolating our systems. You can get so far, but no further.

The classic triad of prevention, detection, and response?

Yes, but these days we’re investing more resources in detecting and responding to attacks. We obviously want to prevent as many attacks as possible, but like other companies, we’ll never be able to stop all of them, which is why detection and response are so important. Our lines of defence are now far more advanced than they used to be.

You said it’s so much more than just technology.

That’s right. Let’s say I need to shut down my IT systems because of an attack. That raises a whole series of questions: How do I inform the staff? By e-mail? Impossible. Via the intranet? Also not an option. The phone list? Probably stored on the intranet somewhere. You have to think carefully about these processes. The key consideration is always: “How can I restore operations as quickly as possible, and how can I ensure a smooth transition from emergency mode back to normal business operations?”

That raises the question of backups—do they exist, and where are they kept?

Absolutely. We have dedicated IT contingency plans in place for various scenarios that we practice regularly. Restoring backups is one of them. Having a backup is one thing; being able to restore it successfully is quite another.

If we could just take a step back for a moment. Let’s talk about NIS2. This new regulation, of course, also applies to Stuttgart Airport.

Exactly. We already have an information security management system (ISMS) in place and, as an airport, we’re subject to a wide range of additional regulations. NIS2 raises the bar even further and requires us to take an even more holistic approach to compliance. Whereas our ISMS previously focused on areas such as aviation security, energy supply, or ground handling processes, we’re now consolidating all these aspects into one place.

That sounds like a huge amount of work, doesn’t it?

It is, but NIS2 is the right step and absolutely essential. There’s still some debate in Germany about how certain aspects of the regulation should be implemented, but cybersecurity is so crucial that NIS2 is absolutely the right move. After all, IT security and operations are at the heart of every organisation. If IT systems fail, things quickly get complicated—or in the worst case, everything comes to a standstill.

And yet, there has been a lot of grumbling about the increase in red tape …

For me, the priority is clear. We need to achieve real cybersecurity first, and then make sure we meet the regulations—not the other way around. Still, the additional effort required for documentation and audits clearly highlights the bureaucratic downsides of such regulations. In my view, there should be ways to ease the burden. For instance, by recognising equivalent certifications across different scopes.

What are some key focus areas for the future at Stuttgart Airport?

One key focus will continue to be holistic cybersecurity. We’re now thinking beyond traditional IT and moving into the realm of operational technology (OT), which includes things like networking and securing baggage handling systems or building management technology. Nowadays, every device is connected to the network, which makes all of them potential targets in a cyberattack. These systems work very differently; you can’t just shut them down for updates, as they have to run 24/7. The second, even bigger project is called “STRzero”, which is our goal to become a climate-neutral airport by 2040. Not through certificates, but truly net zero by reducing emissions on site. That involves major reconstruction work, almost on the scale of building a new terminal—everything new, everything even more connected. And we need to secure all of that, too.

To implement all these cybersecurity initiatives, you also need backing from the very top, right?

It’s absolutely essential. Many senior managers still see IT security as an expense first and foremost, but fortunately, that isn’t the case here. Of course, IT security comes at a price, but it’s a fundamental requirement for doing business.  Cybersecurity is a core responsibility and a top management priority. If decision-makers still see things differently, I’d urge them to listen to those who have experienced an attack first-hand. When you hear them describe how the breach happened and what it meant for their organisation, you begin to understand the true impact of a real cyber incident.