Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4An increased use of technology within an environment of increasing threat necessitates a vigilant approach to cybersecurity. Airport managers and staff; airline, concession, and other tenants; contractors and consultants; travelers; and shippers are progressively reliant on computers, electronic devices, and network infrastructure. These rapidly advancing technologies offer better service, enhanced capacity, improved safety, and operational efficiency. Unfortunately, they also increase an airportâs exposure to individuals, organizations, and countries looking to cause disruption, steal information, or harm critical infrastructure by exploiting weaknesses in technology. They also create opportunities for insiders to deliberately cause harm or well-intentioned individuals to make mistakes that can have similar consequences. An increased use of technology within an environment of increasing threat necessitates a vigilant approach to cybersecurity. The objective of this guidebook is to provide guidance that will help airports achieve that vigilance by implementing cybersecurity best practices. It offers an approach to identifying threats, prioritizing them based on the potential impact they may have on critical systems, and implementing countermeasures that can help airports prevent and recover from successful attacks. These guidelines will help airports establish an effective cybersecurity program that fits their budget and technical capabilities. They can also help airports that already have an established cybersecurity program validate or improve their program based on industry best practices. The best practices are based on lessons learned from peer airports as well as organizations in financial, health care, utility transmission, communications, and defense industries. This guidebook also identifies government resources, guidelines, policies, and regulations that have been rapidly emerging to help thwart the growing threat of cyberattack within the United States. Private-sector resources are described along with suggestions on how to identify and select the most appropriate product or resource. After this introduction, Chapter 2 of this guidebook defines cybersecurity and highlights why it is a subject of growing importance. Chapter 3 offers an approach to addressing the cybersecurity needs of an airport, detailing the threats that exist, the airport systems that may be vulnerable, and the countermeasures that can be taken to reduce those vulnerabilities or to respond if an attack is successful. These and other basic terms are shown conceptually in Figure 1. Chapter 4 provides specific details on implementing countermeasures in key areas of vulnerability. Each area is introduced; common threats are identified; countermeasures are recommended; and additional resources are offered. Chapter 5 provides guidance on establishing and maintaining a cybersecurity program based on industry best practices. Throughout the guidebook symbols are used to denote threats ( ), affected data and systems ( ), countermeasures ( ), and resources ( ). This guidance is intended to help those responsible for cybersecurity at an airport prioritize, fund, and execute the most relevant aspects of a strong program. Finally, the guidebook identi- fies ongoing activities that airports should follow to detect and respond to attacks. Appendixes C H A P T E R 1 Introduction This report provides guidance on establishing and maintaining a cybersecurity program based on industry best practices.
Introduction 5 provide a glossary of relevant terms. Throughout the guidebook are references to literature and public resources that airport managers and staff may find helpful. Research findings from this project indicate that chief information officers (CIOs), IT managers, CISOs, cybersecurity managers, other staff positions, and a few chief executive officers (CEOs) [based on 41 of 44 (93%) of those that responded to the question] are the ones responsible for establishing and maintaining airport cybersecurity programs. This guidebook is intended to help them fulfill this responsibility by offering guidance, resources, and tools. This guidebook is accompanied by a CD containing multimedia material that offers airports training, documentation, tools, and resources that they can leverage to cost-effectively implement cybersecurity best practices. The audience for this multimedia material encompasses airport senior management, IT managers, department managers, and staff. Other airport stakeholders such as agencies that oversee airports, airlines, concessionaires, consultants, contractors, and others may find the material helpful as well. Both this written guidebook and the accompanying multimedia material are organized to make it easy for readers to find the material best suited for them. This multimedia material should work on any computer and does not require technical expertise to use. Figure 1. Basic cybersecurity terms. Content that is supported by relevant multimedia material is highlighted with an icon (shown at left) and enclosed in a box. Instructions on how to use the multimedia material can be found in Appendix D. This guidebook and the accompanying multimedia material were developed based on targeted industry research as well as on the experience of the research team and its advisors. The research started with a literature search to identify relevant (and credible) research papers, journal articles, conference proceedings, research papers, and books on airport cybersecurity and related topics. These documents were reviewed and relevant findings were extracted and included in the report, as cited. In addition, dialogue with the growing number of researchers, committee chairs, and association members who are focused on cybersecurity helped identify the current state of prac- tice. Next, airports and other relevant organizations were asked to complete an online survey,
6 Guidebook on Best Practices for Airport Cybersecurity the results of which are incorporated into these materials. Although care must be taken when interpreting the results of any small population survey, the findings and trends identified are supportive. The survey led to face-to-face and telephone interviews with personnel at airports that have exemplary cybersecurity programs as well as industry, government, and private-sector providers who supplied complementary information and resources. The project deliverables also benefitted from the years of experience and background of the research team. The research team included individuals each with decades of experience in air- port IT or cybersecurity. It was augmented by a team member with many years of experience in implementing cybersecurity best practices within the financial sector. Team advisors from a major airportâs IT department helped ensure the results are applicable within typical airport organizations. The research that was conducted was also guided by a panel of experts assembled by the Airport Cooperative Research Program (ACRP). This panel included airport IT managers, representatives from federal agencies, an airport industry association, and consultants focused on cybersecurity. Their guidance during the proposal development, work planning, interim, and final deliverable stages of this project ensured that the guidebook addresses airport industry cybersecurity needs. Although the collective efforts of the research team, advisors, and panel members have con- tributed to the applicability, the thoroughness, and the quality of this guidebook, there are some inherent limitations: ⢠The realm of cybersecurity is rapidly changing. This guidebook was written to have as much longevity as possible but to provide specifics; it is likely that some findings will soon be out of date. ⢠Much of the information provided was shared on the condition of anonymity because of its sensitive, proprietary, or confidential nature. The result is that many of the findings are gen- eralized indicating the proportion, trend, or type of respondent and not providing details that respondents asked not be shared. ⢠Care was taken to ensure that the information provided in this guidebook can be used to help airports protect themselves against cyberattack but that it did not provide details that would help potential attackers. This concern is shared by authors of similar documents in the indus- try. Some industry experts, however, suggest that modern cybercriminals are very sophisti- cated and not likely informed by guidance such as found in these deliverables. It was further noted that many of the protective measures that can have a significant impact are commonly known, just not commonly implemented. ⢠There are many private-sector products and resources that can help airports establish and maintain cybersecurity programs. Recommendations of individual companies or consultants, however, are not provided in this guidebook or the accompanying multimedia material. To help address these limitations, the following forums are recommended and may provide the longevity, specifics, and referrals that this guidebook cannot. They are provided as a means of augmenting the resources cited in the remainder of the guidebook. Airports Council InternationalâNorth Americaâs Business Information Technology Committee: www.aci-na.org/committee/business-information-technology/ Aviation Information Sharing and Analysis Center: a-isac.com/ Multi-State Information Sharing and Analysis Center: msisac.cisecurity.org/ National Crime Information Center: fas.org/irp/agency/doj/fbi/is/ncic.htm/ National Institute of Standards and Technology: www.nist.gov TRBâs Cybersecurity Subcommittee (sponsored under ABE40): www.abj50.org/subcommittees/ cybersecurity/
