ANA Aeroportos is Portugal’s leading airport operator, overseeing 10 airports crucial to the country’s transportation and economic infrastructure. João Annes, Chief Information Security Officer (CISO), leads efforts to mitigate cyber risks and ensure a safe 24/7 operation of these hubs. He had a chat with André, our CTO, to explain his unique challenges and how Ethiack has helped overcome them.
ANA faces a dual challenge: safeguarding its extensive and always-changing IT and OT (Operational Technology) environments while maintaining uninterrupted airport operations. In 2023 alone, ANA handled more than 60 million passengers, six times the population of the country in which it operates. As geopolitical tensions escalate and technological advancements transform the aviation industry, ANA Aeroportos must stay ahead of increasingly sophisticated cyber threats.
If you work in cybersecurity, you know the threat landscape has changed drastically in the last few years. This is especially true for airports and critical infrastructures. Airports, as symbols of national power and economic importance, have become prime targets for state-sponsored attacks and hacktivists. Since the onset of the Ukraine war in 2022, these geopolitical risks have intensified, demanding heightened vigilance. Additionally, new technologies such as biometric authentication and integrated e-commerce platforms have introduced new attack vectors, broadening the scope of potential vulnerabilities.
Operational complexity adds another layer of difficulty. ANA operates within a highly integrated ecosystem of IT and OT systems. This interplay exposes weaknesses that require comprehensive protective measures. As in other critical infrastructures, the 24/7 operational nature of airports compounds this challenge, demanding that cybersecurity efforts be robust yet unobtrusive, ensuring continuity of service while defending against persistent threats. All of this happens as passenger traffic keeps increasing year over year for their airports.
Finally, ANA must comply with the new, complex, and increasingly demanding regulations for critical infrastructures. The EU has been introducing much tighter cybersecurity laws, which only exacerbates this point.
Our symbiosis of Continuous AI Pentesting and Elite Human Ethical Hacking caught ANA's eyes, matching perfectly with their need for 24/7 operationability:
João highlighted the frequent use of Elite Ethical Hacking events, which he mentions are essential for their security strategy. Sometimes lasting for a whole week, our ethical hackers get the opportunity to find the most critical vulnerabilities by exploiting business logic and attack vectors often untouched by automated tools. João highlights how these events also become learning opportunities for his team, as they learn from our approach to strengthen their systems.
By adopting Ethiack’s ethical hacker mindset, ANA’s internal teams understood potential abuse scenarios and ended up with:
João Annes commended Ethiack’s approach:
“Ethiack’s combination of automated testing and human expertise brought a unique perspective to our security challenges. Their continuous monitoring of our attack surface and in-depth manual testing of our internal systems have transformed how we approach cybersecurity. Ethiack teaches us to think like attackers, making us better equipped to handle threats proactively.”
Ethiack’s partnership with ANA Aeroportos demonstrates the great power of combining AI Continuous Pentesting and Elite Ethical Hacking. By addressing vulnerabilities in real-time and equipping internal teams with attacker mindsets, Ethiack ensures its clients are not just protected but prepared for the challenges ahead. For ANA Aeroportos, this collaboration with Ethiack marks a pivotal step in fortifying their operations against the complex cyber threats of the modern world.
Watch the teaser below and check the full video on YouTube here.You can also download the full case study here.