Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
A I R P O R T C O O P E R A T I V E R E S E A R C H P R O G R A M ACRP REPORT 140 TRANSPORTAT ION RESEARCH BOARD WASHINGTON, D.C. 2015 www.TRB.org Research sponsored by the Federal Aviation Administration Subscriber Categories Aviation â¢ Data and Information Technology Guidebook on Best Practices for Airport Cybersecurity Randall J. Murphy Michael Sukkarieh Grafton technoloGies, inc. Newburyport, MA Jon Haass Paul Hriljac softKrypt Prescott, AZ
AIRPORT COOPERATIVE RESEARCH PROGRAM Airports are vital national resources. They serve a key role in transÂ portation of people and goods and in regional, national, and interÂ national commerce. They are where the nationâs aviation system connects with other modes of transportation and where federal responÂ sibility for managing and regulating air traffic operations intersects with the role of state and local governments that own and operate most airports. Research is necessary to solve common operating problems, to adapt appropriate new technologies from other industries, and to introduce innovations into the airport industry. The Airport CooperaÂ tive Research Program (ACRP) serves as one of the principal means by which the airport industry can develop innovative nearÂterm solutions to meet demands placed on it. The need for ACRP was identified in TRB Special Report 272: Airport Research Needs: Cooperative Solutions in 2003, based on a study sponÂ sored by the Federal Aviation Administration (FAA). The ACRP carries out applied research on problems that are shared by airport operating agencies and are not being adequately addressed by existing federal research programs. It is modeled after the successful National CooperaÂ tive Highway Research Program and Transit Cooperative Research ProÂ gram. The ACRP undertakes research and other technical activities in a variety of airport subject areas, including design, construction, mainteÂ nance, operations, safety, security, policy, planning, human resources, and administration. The ACRP provides a forum where airport operaÂ tors can cooperatively address common operational problems. The ACRP was authorized in December 2003 as part of the Vision 100ÂCentury of Aviation Reauthorization Act. The primary participants in the ACRP are (1) an independent governing board, the ACRP Oversight Committee (AOC), appointed by the Secretary of the U.S. Department of Transportation with representation from airport operating agencies, other stakeholders, and relevant industry organizations such as the Airports Council InternationalÂNorth America (ACIÂNA), the American AssociaÂ tion of Airport Executives (AAAE), the National Association of State Aviation Officials (NASAO), Airlines for America (A4A), and the Airport Consultants Council (ACC) as vital links to the airport community; (2) the TRB as program manager and secretariat for the governing board; and (3) the FAA as program sponsor. In October 2005, the FAA executed a contract with the National Academies formally initiating the program. The ACRP benefits from the cooperation and participation of airport professionals, air carriers, shippers, state and local government officials, equipment and service suppliers, other airport users, and research orgaÂ nizations. Each of these participants has different interests and responÂ sibilities, and each is an integral part of this cooperative research effort. Research problem statements for the ACRP are solicited periodically but may be submitted to the TRB by anyone at any time. It is the responsibility of the AOC to formulate the research program by idenÂ tifying the highest priority projects and defining funding levels and expected products. Once selected, each ACRP project is assigned to an expert panel, appointed by the TRB. Panels include experienced practitioners and research specialists; heavy emphasis is placed on including airport proÂ fessionals, the intended users of the research products. The panels preÂ pare project statements (requests for proposals), select contractors, and provide technical guidance and counsel throughout the life of the project. The process for developing research problem statements and selecting research agencies has been used by TRB in managing cooperÂ ative research programs since 1962. As in other TRB activities, ACRP project panels serve voluntarily without compensation. Primary emphasis is placed on disseminating ACRP results to the intended endÂusers of the research: airport operating agencies, service providers, and suppliers. The ACRP produces a series of research reports for use by airport operators, local agencies, the FAA, and other interested parties, and industry associations may arrange for workÂ shops, training aids, field visits, and other activities to ensure that results are implemented by airportÂindustry practitioners. ACRP REPORT 140 Project 05Â02 ISSN 1935Â9802 ISBN 978Â0Â309Â30880Â9 Library of Congress Control Number 2015942910 Â© 2015 National Academy of Sciences. All rights reserved. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and notÂforÂprofit purposes. Permission is given with the understanding that none of the material will be used to imply TRB or FAA endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and notÂforÂprofit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. NOTICE The project that is the subject of this report was a part of the Airport Cooperative Research Program, conducted by the Transportation Research Board with the approval of the Governing Board of the National Research Council. The members of the technical panel selected to monitor this project and to review this report were chosen for their special competencies and with regard for appropriate balance. The report was reviewed by the technical panel and accepted for publication according to procedures established and overseen by the Transportation Research Board and approved by the Governing Board of the National Research Council. The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research and are not necessarily those of the Transportation Research Board, the National Research Council, or the program sponsors. The Transportation Research Board of the National Academies, the National Research Council, and the sponsors of the Airport Cooperative Research Program do not endorse products or manufacturers. Trade or manufacturersâ names appear herein solely because they are considered essential to the object of the report. Published reports of the AIRPORT COOPERATIVE RESEARCH PROGRAM are available from: Transportation Research Board Business Office 500 Fifth Street, NW Washington, DC 20001 and can be ordered through the Internet at http://www.nationalÂacademies.org/trb/bookstore Printed in the United States of America
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. C. D. Mote, Jr., is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Victor J. Dzau is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academyâs purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. C. D. Mote, Jr., are chair and vice chair, respectively, of the National Research Council. The Transportation Research Board is one of six major divisions of the National Research Council. The mission of the Transporta- tion Research Board is to provide leadership in transportation innovation and progress through research and information exchange, conducted within a setting that is objective, interdisciplinary, and multimodal. The Boardâs varied activities annually engage about 7,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individu- als interested in the development of transportation. www.TRB.org www.national-academies.org
C O O P E R A T I V E R E S E A R C H P R O G R A M S AUTHOR ACKNOWLEDGMENTS The research reported herein was performed under ACRP Project 05Â02 by Grafton Technologies, Inc.; SoftKrypt; and Grafton Information Services, Inc. with airport advisory services provided by the Massachusetts Port Authority (Massport). Randall J. Murphy, President of Grafton Technologies, Inc. was the Principal Investigator. The other authors of this report are Dr. Jon Haass, Associate Professor of Cyber Intelligence and Security at EmbryÂRiddle Aeronautical University (ERAU) and Chief Executive Officer at SoftKrypt; Dr. Paul Hriljac, Professor of Mathematics and Computer Science at ERAU and Chief Technical Officer at SoftKrypt; Michael Sukkarieh, cybersecurity expert at Grafton Technologies, Inc.; Thomas Crossman, Project Researcher at Grafton Technologies, Inc.; Patrick McHallam, Application Developer at Grafton Technologies, Inc.; and Maureen Murphy, Project Administrator at Grafton Information Services, Inc. Tom Domenico, Director of Cyber Security & Public Safety Systems at Massport, and Jeffrey W. Jordan, Senior Project Manager of the Information Technology Department at Massport, provided airport advisory services to the project team. CRP STAFF FOR ACRP REPORT 140 Christopher W. Jenks, Director, Cooperative Research Programs Michael R. Salamone, ACRP Manager Marci A. Greenberger, Senior Program Officer Joseph J. Snell, Senior Program Assistant Eileen P. Delaney, Director of Publications Natalie Barnes, Senior Editor ACRP PROJECT 05-02 PANEL Field of Security Royce Holden, Greater Asheville Regional Airport Authority, Fletcher, NC (Chair) Caroline Barnes, FBI Newark Division, Newark, NJ John McCarthy, Service Tec International, Reston, VA David E. Wilson, Port of Seattle, Seattle-Tacoma International Airport, Seattle, WA Martha A. Woolson, Alexandria, VA Abel Tapia, FAA Liaison Aneil Patel, Airports Council InternationalâNorth America Liaison Christine Gerencher, TRB Liaison
ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity provides resources for airport managers and information technology (IT) staff to reduce or mitigate inherent risks of cyberattacks on technologyÂbased systems. Traditional IT infrastructure such as servers, desktops, and network devices are covered along with increasingly sophisticated and interconnected industrial control systems, such as baggage handling, temperature control, and airfield lighting systems. Accompanying this guidebook is a CDÂROM of multimedia material that can be used to educate all staff at airports about the need, and how, to be diligent against cybersecurity threats. Cybersecurity is a growing issue for all organizations, including airports. While the risks to traditional IT infrastructure are often highlighted, many airports also rely on industrial control systems that introduce risks that are less apparent. The increasing practice of Bring Your Own Device (BYOD), whereby employees use their own personal devices for business purposes such as email and remote access to airport systems, brings its own risks that must be managed. These risks cannot be eliminated, but they can be reduced through implementation of industry standards, best practices, and awareness programs for employees. Grafton Technologies, Inc., as part of ACRP Project 05Â02, conducted research on risks and practices from within and outside of airports to develop these best practices and resources. The multimedia material that can be found in the CDÂROM can help make employees and consultants aware of the various ways in which cyberattacks can occur and what they can do to mitigate and prevent them from being successful. Airport chief information officers, IT managers, and all airport staff, as well as consultants, tenants, and others who conduct business at airports, will find information and resources that will be useful and applicable to their responsibilities at the airport. F O R E W O R D By Marci A. Greenberger Staff Officer Transportation Research Board
1 Summary 4 Chapter 1 Introduction 7 Chapter 2 What Is Cybersecurity? 10 Chapter 3 An Approach to Cybersecurity at Airports 10 Overview 10 Primary Activities 12 Key Roles and Responsibilities 12 Cybersecurity Tasks 14 Threats 15 Affected Data and Systems 18 Countermeasures 20 Chapter 4 Implementing Countermeasures 20 Airport Systems 20 IT Infrastructure 22 EndÂPoint Systems 23 Industrial Control Systems 26 WiÂFi 27 CloudÂBased Services 28 Global Positioning System 28 Human Considerations 29 Social Engineering 30 Bring Your Own Device 32 Use of Social Media 33 Malicious Insiders 34 Service Providers 34 Service Providers That Can Increase the Likelihood of a Cyberattack 35 Service Providers That Help Protect an Airport 37 Passengers, Greeters, and Other Occupants 38 Private, Confidential, and Sensitive Information 39 Chapter 5 Developing a Cybersecurity Program 39 Cybersecurity Governance 40 Legal Requirements and Regulation 41 Standards and Guidelines 43 Payment Card Industry Data Security Standards 46 Policies 47 Contracts and Procurement Considerations 49 Software and Information Security Assurance C O N T E N T S
51 Resources Required 52 Staffing 56 Funding 58 External Support 59 Cybersecurity Training 60 Awareness Training 61 Specialized Training 62 Training Resources 62 Sustaining a Cybersecurity Program 63 Risk of Implementing a Cybersecurity Program 65 Chapter 6 Detecting, Responding to, and Recovering from Attacks 65 Detecting Attacks 67 Responding to an Attack 68 Recovery to Normal Operations 69 Lessons Learned 70 Chapter 7 Conclusions and Suggested Research 70 Conclusions 71 Suggested Research 73 Glossary, Abbreviations, Acronyms, and Symbols 76 References 80 Appendix A Categorized List of Cybersecurity Threats 89 Appendix B Airport Systems 94 Appendix C Countermeasures 149 Appendix D Using the Multimedia Material Note: Photographs, figures, and tables in this report may have been converted from color to grayscale for printing. The electronic version of the report (posted on the web at www.trb.org) retains the color versions.