Home Aeroporti di Puglia: Services Ensuring CyberSecurity

Aeroporti di Puglia:
Services Ensuring CyberSecurity

The adoption path for new CyberSecurity measures that meets today's legislative requirements while anticipating those of tomorrow

 

Security Always

The path to adoption of new CyberSecurity safeguards that meet today's legislative requirements and think about those of tomorrow

 

Request information

Aeroporti di Puglia S.p.A. 's primary purpose is the management, under concession, of Puglia's airports. This activity is carried out in the design, development and management of infrastructures for the exercise of airport activities and commercial activities

. Therefore, the management of aviation and non-aviation services is also included among the activities included in the corporate purpose.

In particular, aviation activities include, among others, the following services:

  • centralised infrastructure management; passenger, ramp and cargo handling;
  • ground handling services: ADP currently manages ground service activities for most of the carriers operating at Apulia's airports;
  • security services: the company has purchased all the equipment necessary to carry out hold baggage screening, which has been compulsory since January 2003. Since March 2002, in the Apulian airports (Bari, Brindisi, Foggia and Grottaglie), services for checking departing and transit passengers and their hand and hold baggage have been activated. The service is outsourced to authorised security companies, which meet the legal requirements and are authorised by Enac;

Non-aviation activities include:

  • sub-concessions of space to third parties: sub-concessions mainly refer to car rental, catering and refuelling of aircraft;
  • management of advertising spaces: ADP is the concessionaire of the billposting service and sub-concessions to third parties for the management of advertising spaces;
  • management of the paid parking service for departing passengers.

At present, the share capital, amounting to Euro 25,822,845.00 and almost entirely subscribed by the Region of Apulia, is also participated with minority shares by other territorial and economic entities.

CyberSecurity Needs

Aeroporti di Puglia needed to embark on a path of adopting new cybersecurity safeguards, following NIS legislation and sector directives, and to continue offering a service adequately protected against cyber threats as a whole.

Objectives for CyberSecurity Oversight 

Cybersecurity management activities began in late 2021:

An assessment activity was carried out in relation to the company's ICT assets, preparatory to theprocessing of documentation required by NIS legislation and sector directives issued by ENAC. Starting from January 2022, an activity was launched to provide Aeroporti di Puglia with a CISO consultancy service for 12 months, which allowed the organisation to structure the cybersecurity management processes at 360 degrees in the organisation, and prepare initiatives to design the future overall cybersecurity management. In late 2023, Exprivia was awarded the tender for the overall provision of cybersecurity management services for Aeroporti di Puglia.

Legislative requirements: the Exprivia solution

The service implemented by Exprivia, led by an extended team of specialists that performsCISO as a service, Threat Intelligence and VAPT governance functions, manages an awareness programme, together with the continuous monitoring of the SOC, puts Aeroporti di Puglia in the best position to meet present and future legislative requirements, such as NIS2.

The various project and service activities have led to an improvement in the overall cybersecurity maturity level, introducing a virtuous model also in the collaboration with other realities present in Aeroporti di Puglia.

Conclusion

Improved monitoring of security events
By activating a SOC that continuously monitors collected security events, an exposed surface monitoring service and a tailored threat intelligence. A control framework to support governance processes was also implemented and activated.

Cybersecurity awareness programme
Through the use of a platform that automates the delivery of courses, also with the support of short videos that improve the user experience, a cybersecurity culture is spread throughout the organisation. The platform also automates periodic phishing tests, making it possible to monitor the evolution of user awareness on cybersecurity issues

Defining processes, procedures and communications

Using a progress plan that tracks progress month by month and keeps the organisation informed, it improves the organisation's awareness of cybersecurity issues. All cybersecurity procedures are constantly reviewed and improved

Improving the vulnerability management process
Performing periodic VAPTs also made it possible to structure a remediation process, which in conjunction with the risk assessment process helps to keep the security posture under control.