ACI EUROPE releases penetration testing guidelines for OT & ICS in airport settings
ACI EUROPE has published its first set of Penetration Testing Guidelines for Operational Technology (OT) and Industrial Control Systems (ICS) in Airport Settings, providing airports with a structured framework to address one of the most complex aspects of aviation cyber security.
Airports rely on OT and ICS to manage critical functions including baggage handling, lighting and fuel management. Given their essential role in safety and operations, these systems require a cautious, specialised and collaborative approach to penetration testing. The new guidelines set out best practices to ensure testing can be carried out effectively while safeguarding continuity of service and compliance with both EU and international standards.
The guidance outlines a range of methodologies – from vulnerability scanning to advanced red teaming – and highlights the limitations of applying traditional IT testing approaches to OT environments. By addressing the unique characteristics of these systems, the guidelines aim to help airports strengthen resilience against cyber threats without exposing essential infrastructure to unnecessary risks.
Developed by airport cyber security professionals through the ACI EUROPE Cyber Security Committee, this guidance aims to offer airport operators a practical way to improve the security maturity of their OT/ICS systems in a scalable and modular way.
