Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
7 Cybersystems are a key and growing component of an airportâs infrastructure. âCyberâ encompasses the computers, servers, and network components that form traditional IT infrastructure. It also includes the software used and the information transmitted over this infrastructure. Industrial control systems (ICS)âsuch as airfield lighting; heating, ventilation, and air conditioning (HVAC); and baggage handling systemsâare also part of an airportâs cyber infrastructure. Together these systems support the safe operation of aircraft, development and maintenance of airport facilities, check-in and screening of passengers, and a variety of other activities. The breadth of cyber systems found at an airport is growing as new systems and technologies become available not only to airport management and staff, but also to the airlines, tenants, and ultimately the passengers they serve. Rapidly advancing mobile computing capabilities are also encouraging some airports to rely on public cellular or wireless networks to extend the reach of their cyber systems within terminals and onto airfields. Some airports have a Bring Your Own Device (BYOD) policy, which allows their employees to use personal phones and tablets to per- form work duties. The breadth of an airportâs cyber systems is also not bounded by its network or facilities. An increasing number of airports are relying on computer infrastructure, software, and data on the Internet or in the âcloud.â As the number and breadth of cyber systems in use at airports grow, so does the risk of cyber- attack. The expanded use of commonly used technologies, the increasing exchange of information between systems, and the criticality of their use increase the likelihood and potential impact of these attacks. Like any element of an airportâs critical infrastructure, systems and their data must be protected. Threats may be intentional, coming from sophisticated actors in well-funded countries or organizations, disgruntled staff or customers who already have access, or individual pranksters. Threats may also be unintentional such as a mistaken release of sensitive information. Some respondents to this projectâs online survey assumed that âif itâs not connected to the Internet, itâs not vulnerable to cyberattack.â Unfortunately, this assertion has been proven wrong by many successful attacks that were not via the Internet. As one interview respondent said, âIf bits or bytes pass through it, it may be vulnerable.â While the percentage of cyber threats that are averted remains very high, the number of threats has grown significantly and the damage caused by the threats that do get through is greater (Gilliland 2014). This is one of the reasons that the majority of respondents (22 of 40 or 55%) feels that the degree of cyber risk their organizations face has increased over the last year. Their concerns are warranted, as the following list of successful cyberattacks on airports suggests: A sophisticated advanced persistent threat from a sophisticated group of hackers acting on behalf of a nation state used a reputable industry source to send phishing emails to airports. C H A P T E R 2 What Is Cybersecurity? âIf bits or bytes pass through it, it may be vulnerable.â âSurvey respondent
8 Guidebook on Best Practices for Airport Cybersecurity Seventy-five airports were affected and two had systems that were compromised as a result (Center for Internet Security 2013). The Airport Operations Division of the Metropolitan Washington Airport Authority uninten- tionally published a request for procurement (RFP) on its website containing sensitive security information (SSI) detailing the outsourced electronic security system at the Ronald Reagan Washington National Airport (DCA). This RFP was not vetted through the IT department. Miami International Airport (MIA) has experienced almost 20,000 hack attempts per day before investing in training, education, and new hardware to protect itself from cyberattacks (Palmer 2013). Los Angeles World Airports (LAX, ONT, VNY, and PMD) blocked almost 60,000 cases of Internet misuse and 2.9 million hacking attempts in one year. LAX also experienced a number of cyber incidents related to malware that targeted a network baggage system (Cheong 2011). U.S. airport computer and communications systems were among the targets announced by the Tunisian Hackers Team in April 2014 (Kimery 2014). Researchers have demonstrated that some passenger screening devices used by the Trans- portation Security Administration (TSA) can be tampered with so that they do not provide the proper alerts if an attacker gains physical access to data ports on the devices (Rios 2014). Although not directly the responsibility of the airport, compromised TSA equipment could impair airport operations and expose additional vulnerabilities. A truck driver jamming his vehicleâs global positioning system (GPS) receiver inadvertently interfered with an airport GPS augmentation system used to support aircraft approach proce- dures at Newark International Airport (EWR). Istanbulâs Atatürk International Airport (IST) had password control systems shut down by what is believed to have been a malware attack resulting in departure delays and extended waiting time for passengers (Paganini 2013). An undisclosed major, non-U.S., international airport uncovered a variant of the Citadel Trojan malware that targeted virtual private network (VPN) credentials used by employees (Klein 2012, Kumar 2012). The Dubai International Airport (DXB) had 50 email addresses and associated passwords stolen by a team of hackers from the Portugal Cyber Army and the HighTech Brazil HackTeam (Selvan 2013). The website of CataniaâFontanarossa Airport (CTA) in Italy was hacked and shut down for a few hours. A 22-year-old suspect was believed to have illegally accessed and damaged data (Kumar 2011). The Airports Authority of Indiaâs enterprise resource planning system was successfully hacked resulting in the system becoming inoperative, but more importantly resulting in the loss of personal data on employees (Vijay 2014, The Asian Age 2014). To combat these and other potential cyberattacks, many airports have taken measures to protect their data and systems. As Figure 2 shows, the top rationale for taking such measures is to prevent service interruptions, although preventing property damage or loss of life, preventing loss of information, preserving the airportâs reputation, and complying with regulations are key motivators as well. Driven by these motivators, many airports have established cybersecurity programs [accord- ing to 32 of 41 (78%) survey respondents who answered this question]. Most of these programs are based on written organizational policy [24 of 32 respondents (75%) of those who answered this question]. These programs often encompass an inventory of critical systems and assets, vulnerability assessments, monitoring for anomalous activity, configuration management, physical security, training, and other measures. Unfortunately, only about half of survey respondents who answered this question [19 of 39 (49%)] felt that these measures provided adequate protection.
What Is Cybersecurity? 9 Fortunately, there is a growing number of resources that an airport can use to protect its data and systems. This mitigation requires specialized technical skills, software, and hardware as well as well-defined policies and procedures. While some airports have been able to provide such protection, not all airports can obtain, retain, and maintain the necessary staff and infrastructure. There is, however, a growing number of public and private organizations that can help airports establish and maintain effective cybersecurity programs. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Department of Homeland Security (DHS)âfunded Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Payment Card Industry (PCI) Data Security Standards (DSS) are just a few of the resources airports have tapped. The remainder of this guidebook is intended to help airports develop, and then to maintain, an approach to cybersecurity that leverages these organizations and other resources. Source: 27 of 55 (49%) survey respondents. 0 5 10 15 20 25 Figure 2. Reasons for implementing cybersecurity.