- A state audit reveals a cyberattack on Salt Lake City airport in December 2024.
- Auditors criticize airport's cybersecurity, urging improved governance and risk management.
- Salt Lake City officials dispute some findings, emphasizing ongoing cybersecurity improvements since attack.
SALT LAKE CITY — A new state legislative audit sheds light on a cyberattack at Utah's largest airport a little more than a year ago, but state legislative auditors and Salt Lake City officials don't see eye-to-eye on its findings.
"We found many areas of improvement in our risk assessment that require attention and improvement," said Kade Minchey, Utah auditor general, adding that he's concerned that the city "will not take recommendations seriously that aren't related to cybersecurity."
Salt Lake City officials, on the other hand, felt the report "leans heavily into criticizing" airport and city leadership rather than addressing the airport's cybersecurity readiness. Still, airport officials appeared willing to address the challenge, as the report was discussed during a Utah Legislative Audit Subcommittee meeting on Tuesday.
"I just want to make sure that it's clear that we substantively agree with the recommendations that (the state) has made in this audit," said Rachel Otto, chief of staff for Salt Lake City's Mayor's Office, adding that the city wasn't "shy" in its response but it is taking the issue seriously.
A 2024 attack
State officials requested the audit in 2025, months after Salt Lake City International Airport was the subject of a cyberattack, which appears to have been mostly kept under wraps since it happened.
The December 2024 attack zeroed in on one of the airport's networks that manages the facility's system controls, such as its ventilation and paging network, according to a background summary compiled by the city. State officials say the hackers "compromised" multiple administrator accounts and created new accounts.
The attackers installed ransomware that temporarily locked airport staff out of multiple systems and were apparently preparing to steal sensitive data until Utah Cyber Center and Salt Lake City information technology experts helped resolve the situation.
It resulted in "minimal impact" in the end. No personal identifying information or other valuable data was exfiltrated, city and state officials said.
Airport leaders made "several necessary personnel changes" after the incident, including working with the Salt Lake City Information Management Systems Department, to "correct vulnerabilities and ensure that the SLCIA cybersecurity defenses are robust," Otto added. The two sides have worked closely ever since to avoid a repeat incident.
"While it is important to emphasize that cybersecurity is a constantly evolving landscape where more can always be done, we have committed significant resources in terms of dollars, personnel and management to protect the SLCIA environment. ... (The) triggering event was unfortunate, but has made us stronger," Otto wrote in a letter before Tuesday's meeting.
However, state legislative auditors say it also "put critical systems and sensitive information at risk," which they said is concerning because the airport serves as a vital transportation and economic hub in Utah.
An 'insufficient' system
The airport's cybersecurity controls were "insufficient and did not appear to meet federal requirements" before the attack, creating vulnerabilities, the report states. These include best practices outlined by the Transportation Security Administration, although the city asserts that it followed three of four guidelines that the agency recommended at the time.
A cybersecurity tool the city recently installed with federal and state funds helped prevent further damage by alerting to the attack. Experts from the Utah Education and Telehealth Network found that the airport has improved its cybersecurity since the attack, which was one of the audit's aspects.
The team still found that the airport was "lagging" in some elements, adding that it must strengthen its cybersecurity controls and processes to mitigate future risks.
Auditors said that "shortcomings in governance and leadership" allowed these vulnerabilities to exist, including the attack that happened. They clarified on Tuesday that there was a rift between the airport's maintenance and IT departments that led to maintenance creating its own IT division, which introduced potential risks.
They recommend regular airport cybersecurity reporting to city leadership and evaluating the organizational structure to ensure IT and maintenance needs are met.
Auditors ultimately outlined three key findings and four recommendations in their report.
Key findings
- Inadequate leadership and governance directly contributed to unaddressed cybersecurity risks.
- Leadership did not fulfill basic responsibilities, which enabled poor coordination between critical divisions at the airport.
- Internal audit effectiveness depends on good governance and leadership.
Top recommendations
- The Salt Lake City airport should adopt best practices that mitigate risk from external vendors and address other issues identified by the Utah Education and Telehealth Network security team.
- The Salt Lake City airport should develop a process for systematically mitigating cybersecurity risk. This process should include regular risk assessments and evaluations on the effectiveness of existing controls.
- Salt Lake City should hold the Salt Lake City airport accountable for implementing effective cybersecurity controls. This should include regular reporting on cybersecurity by the airport to Salt Lake City leadership.
- The Salt Lake City airport executive director should hold airport division directors accountable for implementing audit recommendations. This should involve regular updates between the executive director and division directors on audit recommendations. These efforts should be in support of a culture that values the work of internal auditing.
While auditors said the airport has taken "meaningful steps" to improve security, they warn that "important gaps in governance, risk management and coordination" still exist. They say addressing these issues and following the best cybersecurity practices are "critical to sustaining recent improvement."
The report adds that "airport leadership needs to take risk management seriously" to avoid future disruptions and data leaks, which could have devastating impacts on the state's economy. They called on Salt Lake City airport director Bill Wyatt to push division directors to implement changes recommended in the report.
City's response
Salt Lake City, which was given a copy of the report in advance, agreed with some of the report's findings. These include the need to establish "stronger governance through written cybersecurity implementation and response protocols," and holding division directors accountable, Otto said.
It's something the city is currently focused on within a field that is "constantly and rapidly evolving." Wyatt added that there were some steps the airport could have taken before the 2024 attack, which are clearer with hindsight.
Yet, the city felt the report was vague, offering "minimal discussion" on the state of the airport's cybersecurity readiness, which it wanted from the report. It felt it focused more on criticizing the airport and city leadership than it anticipated in agreeing to be audited.
Minchey wrote that he's concerned the city appeared to shift blame to a previous IT director while absolving city and airport leadership of responsibility for problems that existed at the time and that auditors believe exist today.
Tuesday's meeting appeared to clear the air, as city and airport leaders outlined improvements they've made and commitments to the issue. Utah House Speaker Mike Schultz noted that cybersecurity is a key topic and acknowledged the challenges that the new audit now introduces.
"The good thing about audits is that they help expose a problem; the bad thing about audits is the whole world now knows there's a problem," he said. "Hopefully, you're really taking that seriously and working overtime right now to make sure that nothing happens."
Senate President Stuart Adams called it "high priority," pointing to recent issues that Delta Air Lines and other airports have faced in recent years, which caused serious impacts.
The committee ended up pushing the audit to a pair of legislative committees for further review and potential new legislation.
