JFKIAT is the private operator of Terminal 4 (T4) at John F. Kennedy International Airport. In 1996, JFKIAT was selected by the Port Authority of NY & NJ to develop, build, and manage the former International Arrivals Building (IAB) at JFK. In 2001, T4 reopened after a $1.4 billion redevelopment that transformed the former IAB into a modern, efficient terminal.
In 2013, Terminal 4 completed Phase I of its expansion, adding 457,600 sq. ft. and nine new gates. In January 2015, T4 opened the 80,000 sq. ft. B Concourse Phase II expansion, adding 11 new gates to accommodate Delta’s regional jets. By 2016, T4’s new brand was launched, and a record-breaking 20.6 million passengers traveled through the terminal.
In December 2021, the Port Authority marked a key milestone in the transformation of JFK International Airport with the groundbreaking for a $1.5 billion privately financed expansion and modernization of T4 to unify Delta operations, adding 10 new gates and 150,000 square feet to the facility. During this expansion, JFKIAT modernized Terminal 4’s systems and cybersecurity to meet present demands and prepare for the future.
The modernization of Terminal 4, led by JFKIAT and Delta Air Lines, is now substantially complete, and Terminal 4 has been transformed into a more modern space designed to provide an enhanced overall customer experience. In addition to its increased airport capacity, the upgrade includes updates to the check-in hall, new gate finishes, expanded curb drop-off space, additional digital signage, restroom modernizations, the transformation of regional jet gate areas to accommodate mainline aircraft, and continued technology enhancements.
Following an initial interview in April 2023 with Roel Huinink, President & CEO of JFKIAT—while Terminal 4 was undergoing its major modernization—I reconnected with him this past January. We discussed how JFKIAT has since built a more robust and comprehensive cybersecurity program. Joining the conversation was Steve Tukavkin, Vice President of IT & Digital. Steve leads the IT Systems division for Terminal 4, overseeing the information and communication technology services that support all terminal operations, security systems, and business solutions.
Covering over 2 million square feet, T4 is home to more than 20 airlines, employs over 12,000 people, and serves over 27 million passengers each year. As with any critical infrastructure facility, the terminal is a constant target of cyber-attackers, and a disruption from an attack or breach could impact a variety of vital services. “For example, the disruption from an attack or breach could affect anything from wayfinding displays and baggage handling systems to the entire ‘brain’ of the terminal operations,” said Steve Tukavkin.
As technology and business ecosystems continue to evolve digitally, JFKIAT established a comprehensive, multi-layered 2024 program to improve security effectiveness and partner safety. Their three-year cybersecurity roadmap focuses on key priorities: enhancing identity and access management, optimizing incident response, establishing third-party risk protocols, expanding staffing and talent, and strengthening governance.
JFKIAT assessed the five pillars of the National Institute of Standards and Technology (NIST) cybersecurity framework—Identify, Protect, Detect, Respond, and Recover—allowing them to refine their governance, risk, and compliance disciplines. To enhance passenger safety and operational efficiency, several security systems were upgraded, including the Access Control System, Video Management System, and video analytics. These enhancements improve threat detection, minimize false alarms, and enable T4 teams to respond faster to emergencies, ensuring a safer environment for both travelers and staff.
“We have invested quite a lot in technology over the recent years,” said Roel Huinink, “and as we like to call ourselves ‘The Flagship Terminal’, I also would say that we are the leader in the aviation industry and leading the force to technical cybersecurity, which started a couple of years ago because cybersecurity is super important.”
For JFKIAT’s internal organization, they collaborated with Dashlane, a password management tool. Dashlane is a top-tier password manager and digital wallet designed to securely store, manage, and protect user credentials, including passwords, passkeys, and personal data. It operates on a zero-knowledge architecture, meaning all data is encrypted on the user’s device and neither Dashlane nor any third party can access the raw, unencrypted information.
Dashlane has been very helpful in supporting the IT and digital teams, as well as information security. The functions of the two teams are separate to maintain a clear divide between technical implementation and policy development. First is credential risk protection, which provides complete visibility across the organization, enabling Tukavkin’s team to uncover credential risks and respond to threats faster. “We’ve seen a couple of examples in the aviation world, where things can go very fast once they’re attacked. The impacts can be very quick, so the team is constantly monitoring that,” said Tukavkin. A recent upgrade to Dashlane Omnix – an AI-accelerated credential security platform, helps staff monitor and identify risks, and it also ‘Nudges’, or sends employees automated notifications to mitigate direct risk credentials and whether there are reused passwords, or those entering websites that are not to be trusted.
Additionally, Tukavkin receives a monthly report that he reviews in depth, which shows a very high number of phishing attempts. “Phishing” refers to an attempt to steal sensitive information, typically in the form of usernames, passwords, credit card numbers, bank account information, or other important data, to utilize or sell the stolen information. With the robust system in place at T4 and the implementation of Dashlane, phishing attempts can be detected and mitigated. As an independent software tool, Dashlane can go over several applications, including MS and Apple, and it all works with Google. “Cybersecurity is never done. People are out there constantly innovating, and we have to constantly advance our technologies to protect our organization, as well as our terminal,” noted Tukavkin.
On the passenger processing side, the team at JFKIAT improved its operations at Customs and Border Protection (CBP) by working closely with the agency to implement Enhanced Passenger Processing (EPP). This initiative was launched in collaboration with BigBear.ai, a decision intelligence company that provides AI-powered software solutions for national security, supply chain management, and cybersecurity. BigBear.ai leverages facial recognition technology to automate identity verification for U.S. citizens only (at this time). Passengers do not need to be part of Global Entry or any other program. As a result of this resilient system, passenger wait times for U.S. citizens in Terminal 4 have dropped by an average of 9-10 minutes.
Furthermore, approximately 90% of passengers now complete the Enhanced Passenger Processing (EPP) in under 15 minutes, increasing staff efficiency and allowing U.S. Customs and Border Protection (CBP) to process travelers with fewer officers.
JFKIAT has also piloted biometrics in the self-service baggage drops. With the introduction of Next Generation Kiosks and Auto Bag Drop units, T4 passengers can easily check in and print their own bag tag, then drop their bags in a matter of seconds at one of the baggage drop units. The deployment of this self-service technology enables a smoother passenger process and flow at check-in. And while some passengers may need time to adjust to this new technology, they may also choose to opt out.
This technology works the same way as when you depart from T4: your face is scanned, and passengers can automatically board the airplane because it recognizes you, since it is connected to the U.S. government’s database.
In its commitment to providing a seamless, stress-free passenger experience, JFKIAT, in partnership with TSA, launched eGates in T4. This innovative technology allows passengers with PreCheck and CLEAR+ memberships to scan their boarding passes in a CLEAR+ lane, proceed immediately to an eGate for facial recognition verification, and then head directly to baggage screening. “For those who don’t want to do it, there’s still the option to opt out,” added Huinink. “Not everyone realizes that if you purchase a ticket and check in with the airline, all your credentials have already been checked, so it’s about people getting used to it, but also about making sure the government treats this information in the right way. So far, the collaboration has been very good, and it really helps CBP and TSA.”
At an annual Safety and Security Conference, Steve Tukavkin emphasized how cybersecurity has become more critical than ever. “Addressing cybersecurity threats and our collective roles as a terminal operator with our partners, whether it’s the airlines, our vendors, and business partners, after a cybersecurity incident, is really crucial. The destruction from an attack or breach could really affect us dramatically in a number of areas, whether it’s wayfinding displays, flight information, different messaging, or the public address system. Airports run 24/7, and so do the threats we face.”
With a focus on protecting T4 operations through continuous monitoring and visibility across the whole network, there’s the frontline; the human firewall layer with real-time, employee-facing and behind-the-scenes technologies that can detect an anomaly early and enable the team to quickly respond, reduce risk, and contain incidents, whether minor or a higher critical risk, to strengthen resilience. “I talked about cybersecurity resiliency as our main theme at our cybersecurity conference. It really shifts security from reactive to being more proactive to ensure safe and uninterrupted airport operations,” said Tukavkin
One of the biggest challenges is vulnerability management. Every month, there are about 70 different systems and applications that operate the terminal, and each one runs different operating systems and applications. Every month, vulnerabilities are identified, whether by the application manager or by third parties who do so as a business. Tukavkin explained, “Every month we apply fixes and patches, and it mitigates some 5,000 risks that we know about, but then another 4,000 are identified the following month. It’s a constant cycle.”
Last year, JFKIAT’s cybersecurity team worked with a consultant to assess their systems and maturity levels across various areas. As their current three-year roadmap concludes, they are evaluating progress to identify remaining gaps in technology, processes, and people. This review will shape their next three-year plan, with a focus on updated training and skill development.
In the instance of a physical security issue, whether it’s a fire, aircraft damage, or accident, a cybersecurity response is needed as well. “There’s a plan to recover from the tech side, but if there’s an impact on the passengers, we have a crisis response plan,” noted Huinink. The crisis response plan was a theme at the recent cybersecurity conference. Procedures and processes are in place with stakeholders and together with partners to manage the crisis. Those plans must be updated annually, and the human element must be trained. JFKIAT also has an ambassador program that trains community stakeholders to serve as ambassadors, ready and able to step up during a crisis.
With the cybersecurity plan in place, the focus is on how JFKIAT, as an operator, remains compliant with the TSA to follow the established plan. “That is called the cybersecurity assessment program that defines how we will be practically and regularly assessed, along with the effectiveness of the cybersecurity measures with the Port Authority,” stated Tukavkin. “It also drives specific projects to improve cybersecurity resiliency and helps us on the business end from an investment perspective, because this is quite costly to do.”
As physical IDs like passports and driver’s licenses go digital, strong, resilient cybersecurity provides passengers with the peace of mind that their identities are safe. While digitalization reduces physical losses, it shifts security risks into the digital realm.
Roel Huinink noted how the plan with the TSA was started before JFKIAT launched their directive, “It gives us guidance too, and a very specific focus from TSA on how we protect our infrastructure. When you go on this ride of implementing more technology, you need to invest more…a substantial amount of funds to protect those assets. You have to buy and implement the new assets, the new technology, which is funded privately.”
Ultimately, cybersecurity is not just an IT problem, and it’s not strictly the responsibility of IT professionals or outside IT digital support. From an information security perspective it is a shared responsibility across the organization, as well as the ecosystem because it is a collaboration where airports and terminals cannot run with just one entity; it ranges from the airlines and pilots, engineers, the operation teams, the regulators from the CBP and TSA, but also the business leaders, executives and the board that play a role in protecting both systems and passengers. “The participation of those key stakeholders, including government agencies, really underscores the depth of our commitment to cybersecurity. Late last year, we engaged a smaller company to test our external systems and internally as well. We always look at ways that we can seek to help out the local community in the tech industry, but sometimes that is quite difficult, as it is essential that they have the right skills and experience in this realm,” emphasized Tukavkin.
In speaking about utilizing the local Queens community resources in the area of cybersecurity and technology at T4, Huinink said, “ We, in all our contracts, have a goal of adding 30% of MWBEs, preferably from the local area, and I think in various parts of the technology, we have been very successful, but to Steve’s point some of those areas are so high-end technology driven, that it is not always possible. We always like to supplement our contracts with local vendors because we are really involved with the community. A lot of people work here and have families to feed, so we will do everything we can to involve them. However, looking across the board in all our contracts, not only technology, we’ve made big progress over the last couple of years, and we really take it seriously”.
