Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1 Cyber, or computer-based, threats are growing in number and sophistication. Although this trend is well publicized in the media, it is not as apparent that airports have been targeted and that some have fallen victim to cyberattack. The result has been the loss of confidential data, disruption to operations, costly recoveries, and degraded reputation. Such attacks are likely to become more common as airports increasingly rely on computing technology and cyberattackers become more sophisticated. The technology that may be affected is not limited to the desktop computers, servers, and network devices that compose typical information technology (IT) infrastructure. Flight infor- mation display systems (FIDS), airfield lighting controls, heating and ventilation systems, baggage handling systems, access control devices, and a broad range of other mission-critical systems rely on digital technology that may be vulnerable to attack. Since these systems are often not regarded as computing devices, cybersecurity protective measures are often not applied. Attacks against systems not owned by an airport can also have an impact and should be pro- tected to the extent feasible through contracts and agreements. Airlines, concessionaires, and other tenants may utilize airport data, systems, and network resources in a manner that can introduce vulnerabilities. This interconnectivity is increasing as airports and their stakeholders leverage digital technology to work together more efficiently. Some airports also allow employees to use their own smartphones, tablets, and computers for work purposes. There are many advan- tages of this approach, but it can also introduce many new vulnerabilities that must be addressed. Another trend is that airports are increasingly relying on computing services delivered via the Internet, an approach referred to as cloud-based computing. When using the cloud, airports no longer have the same level of control over the security of their data and systems, so additional precautions are warranted, and reputable providers must be selected. Despite the advanced technologies and sophisticated approaches used by attackers, some of the most basic vulnerabilities are where attacks begin. Many of these vulnerabilities are related to human activity. Poor handling of usernames and passwords, clicking on links from disguised sources, downloading suspicious software, and exposing sensitive information have led to many successful attacks. Often, advanced attackers will leverage one success to launch subsequent, more invasive attacks that target sensitive data and systems. To protect themselves, airport managers, IT professionals, staff, tenants, and consultants need to be aware that these threats exist, of the impact these threats may have on critical data and systems, and of the measures they can take to protect the airport. Their goal should be to implement countermeasures that satisfy the risk aversion of those responsible for airport safety and efficiency to the extent available staff and funding allow. Perfect protection is not attainable, nor perhaps advisable, due to the expense. Multiple layers of defense that address the highest priority vulnerabilities, or âdefense in depth,â should be the goal. S U M M A R Y Guidebook on Best Practices for Airport Cybersecurity
2 Guidebook on Best Practices for Airport Cybersecurity This guidebook and the associated multimedia material on the accompanying CD-ROM offer airports an approach to attain this goal. The guidelines provided are based on the best practices of the airport industry and also other industries, such as financial services, electrical transmission, and health care that have had to deal with these challenging problems for many years. Resources are provided to increase awareness and to train staff and other key stakeholders. Findings Most airports are taking steps to protect themselves from cyber threats. Virus protection software, network firewalls, and network password controls are common. Many airports have formalized their approach by establishing a cybersecurity program, often writing down the policies and procedures that program entails. A growing number of airports have appointed a chief information security officer (CISO) to lead these efforts. A few employ highly qualified technical staff to implement state-of-the-art protection. Cybersecurity best practices are, however, not being universally applied by airports. The importance of cybersecurity is often not emphasized outside of an airportâs IT department; senior managers often do not fully appreciate the importance of cybersecurity when making funding decisions; and staff are often untrained, resulting in poor habits that expose vulnerabilities. There are a growing number of resources, many freely available, that are not being fully tapped by airports. These include support from federal agencies, relevant information sharing forums, cybersecurity training programs, and relevant literature. Based on the research that was conducted for this project, the following are some of the cyber- security best practices that airports should consider: Become and stay aware of the threats that can impact critical data and systems by maintaining regular communication with peers and related agencies, participating in information sharing forums, and engaging (if the means exist) cybersecurity professionals. Establish and enforce policies for acceptable use, sensitive security information (SSI), infor- mation privacy, software and data assurance, training, and communications. Periodically train managers, staff, consultants, and tenants on their roles to protect data and system credentials, to be wary of social engineering tactics, to adequately protect the devices they control, and to report suspicious activity and policy infractions. Maintain an inventory of data, systems, network devices, and users that may be affected by a cyberattack. Identify vulnerabilities where these assets are not adequately protected and prioritize them based on the impact a successful attack may have. Implement countermeasures to achieve the level of protection that is desired and affordable. Assign CISO responsibilities to a qualified staff member, new hire, or consultant. Monitor computer and human behavior through manual and automated means. Communicate anomalous activity and successful attacks to the CISO, IT staff, senior manage- ment, affected stakeholders, other agencies, and law enforcement personnel. Be prepared to isolate affected systems, remove them, recover from attacks, and learn from them. Recognize that, even if all of the foregoing measures are implemented, the airport will still not be fully protected. Remain vigilant and continuously improve the level of protection to the extent possible given the available resources. No airport is too small or too large to take these measures. There is no minimum threshold of investment that is required. The challenge is to balance the degree of risk that is acceptable with the opportunity cost of dedicating resources to other activities. Achieving this balance requires senior managers who are responsible for managing risk to work with IT and facility managers
Summary 3 who are responsible for the data and systems that can create the risk. Technical advisors may also be required to summarize the salient details. Conclusions Cybersecurity has become a cost of doing business for airports. All airports can afford it; it is a matter of how much and what sacrifices they are willing to make. Regardless of the level they choose, all airports make this determination either proactively or by default. As cybersecurity awareness increases, more airports are choosing to be proactive. They are appointing CISOs, establishing policies and procedures, training staff, implementing technical countermeasures, preparing their response should an attack occur, and sharing their results with peers. This trend is likely to continue and, as it does, that gap between the capabilities of the offense (i.e., attackers) and the defense (i.e., airport managers and staff) will shrink. Recommendations This guidebook and the associated multimedia material provide one of many resources to help airports achieve the goal of establishing a cybersecurity program that is founded on best practice. It is recommended that airport managers use these resources to help them establish a comprehensive cybersecurity program. Those that already have a cybersecurity program can use this guidebook to confirm that they have implemented best practices or to provide ideas on further improvements they can make. After establishment of a program that meets current industry best practices, airports are advised to continue to be vigilant and to use all resources, including those in this guidebook, to adapt to the constantly evolving threat of cyberattacks.