ICT security and data protection

The Zurich Airport Group works continuously to strengthen the resilience of its ICT systems. These efforts ensure that data and information are available and confidential while maintaining their integrity.

Relevance

At its various sites, Zurich Airport Ltd. uses different systems for information and communication technology (ICT). In Zurich, Zurich Airport Ltd. maintains extensive ICT systems with data centers that are vital for its operations. The entire airport infrastructure can only function if data can be processed. The situation is the same at the three majority-owned subsidiaries in Brazil. In Chile, on the other hand, the ICT systems of the subsidiary and its sites are largely confined to the commercial and personnel-related administration of the company itself, as the aviation-related systems in particular are operated by the authorities.

In addition to risks of a physical nature such as natural disasters, cyber-attacks pose a major threat to ICT systems today. The Zurich Airport Group is accordingly faced with the challenge of continually developing its security strategies. The ICT systems and associated data and information must be protected from unauthorised access while maintaining availability, confidentiality and integrity at all times.

As a key element of Switzerland’s infrastructure, Zurich Airport is part of the national strategy to protect critical infrastructures and is consequently required to take steps to increase resilience. At the same time the National Aviation Security Programme (NASP) run by the Federal Office of Civil Aviation (FOCA) stipulates certain ICT security requirements that are binding for Zurich Airport.

Personal data collected in Zurich, for example from passenger handling, video surveillance, access points to buildings and security zones, vehicle car parks, and from the provision of further services, are subject to Swiss and/or European data protection legislation.

Approach

ICT security

To guarantee the availability, confidentiality and integrity of its ICT systems, Zurich Airport Ltd. set up an information security management system (ISMS) for the Zurich site in 2022, which is certified in accordance with ISO 27001. This ISMS ensures that ICT security is maintained for the basic infrastructure and is constantly adapted to meet ever-evolving challenges. Zurich Airport thus complies with the requirements of the NASP. In the reporting year, the Zurich site passed the maintenance audit and measures were initiated to expand the scope of the management system to incorporate the aviation systems.

Measures to increase ICT security at the Zurich site will be further developed in line with the cyber security strategy, which was revised in 2023 and is based on internationally recognised regulations. Once each year the Audit & Finance Committee of the Board of Directors is informed concerning the current state of play. In the reporting year, Zurich Airport Ltd. continued to invest in increasing the resilience of its ICT systems. Identity and access management was integrated into the Cyber Security section along with personnel resources. The department was also furnished with additional resources to strengthen its ICT readiness for business continuity and ICT security architecture. In addition, the capabilities of the Cyber Defence Center, which continuously monitors the ICT systems, are being expanded together with a partner on an ongoing basis.

This close integration with the national strategy to protect critical infrastructures and close compliance with sector standards is intended to ensure that the company will always be in a position to detect external cyber-attacks and other data breaches at an early juncture and minimise their impact. System-critical infrastructures are provided redundantly, also to limit the damage to ICT systems caused by other incidents such as earthquakes for example.

The importance of awareness is defined in a central process within the framework of a separate project in the cyber security strategy. This is because the behaviour of employees is key to successfully protecting systems against cyber-attacks. Regular information campaigns and training events are held to raise awareness among all ICT users and enable them to quickly spot potential threats.

In Brazil, the project launched in 2021 to secure ISO 27001 certification has not yet been completed. Natal Airport needs to be integrated and further work completed for certification to take place in 2025.

Protection of personal data

For the Zurich site, the framework for handling personal data is primarily provided by the Swiss Data Protection Act and the European General Data Protection Regulation.

As well as complying with data protection laws, Zurich Airport Ltd. handles all the data and sensitive information of its business customers, service partners, consumers and other stakeholders with care and observes its duties of confidentiality.

Zurich Airport Ltd. has appointed a data protection officer to ensure compliance as regards the protection of personal data. This officer advises line managers on the correct handling of personal data, maintains a list of the company’s data repositories, and provides information to affected individuals, external bodies and public agencies. Zurich Airport Ltd. has set out the principles for handling personal and company data in a data ethics policy.

The management of operational and personal data at the company’s airports abroad is based on the respective local regulations in force. Owing to the limited scope of the systems, no passenger-related data are collected at the airports in Chile. The passenger data collected at the Brazilian airports cannot be linked to individual people.