Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
10 The underlying goal should be to identify and address vulnerabilities to satisfy the risk tolerance of senior management in an efficient and cost- effective manner. Overview The core of a cybersecurity program is the approach that is used to identify, assess, and reduce the risk of successful attack. This process can be implemented in phases but must remain flexible to respond to new risks as they arise. The goal is to implement multiple layers of countermeasures that are deployed throughout an airportâs systems, data, infrastructure, and personnel. This is referred to as âdefense in depth.â The essential elements of such an approach are illustrated in Figure 3 and detailed in subsequent sections of this guidebook. This process should be led and managed by the CISO or a similar position that senior management has entrusted to manage the airportâs risk of being impacted by cyberattack. C H A P T E R 3 An Approach to Cybersecurity at Airports The process described in Figure 3 is included in the multimedia material for IT staff. Primary Activities The steps illustrated in Figure 3 are organized into columns representing primary activities established by the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST 2014). The primary activities defined by the NIST Framework are listed below and illustrated as columns in Figure 3: 1. Identify the equipment, software, business practices, and data flows within the organization, its networks and subnetworks. This inventory is required in order to understand the scope of implementing comprehensive protective measures but also to organize the myriad of details that are necessary, especially in the event of an attack. This inventory process needs to be an ongoing activity because systems frequently change, software is updated, and new personnel are hired. 2. Protect systems, data, and infrastructure by implementing and updating countermeasures in a prioritized manner through monitoring. 3. Detect cyberattacks in a timely manner by monitoring for anomalous activity on end-point systems, IT and communications networks, and in areas where sensitive IT and ICS infra- structure exists. It is important to periodically test the detection mechanisms for proper configuration and response to reduce both false positives and missed negatives. 4. Respond to cybersecurity attacks in a quick and effective manner, while minimizing the duration and extent of their impact. Effective response begins before an attack occurs with planning on how to react and with the collection of information and contacts that can help.
Ma n a g e m e n t S t a ï¬ C o n s u l t a n t s T e n a n t s revoceRdnopseRtceteDtcetorPyfitnedI Targets Threats Estimate Likelihood Inventory Vectors Estimate Impact Counter- measures Vulnerability Prioritize Allocate Resources Establish Policy Training Reports Determine Impact Inform Stakeholders Monitor Issue ? Patches Updates Analyze Triage Contain Remove Restore Metrics Procedures Best Practices Training Material Actor I T P e r s o n n e l Potential Role for Service Providers Motives Figure 3. An approach to implementing cybersecurity at airports.
12 Guidebook on Best Practices for Airport Cybersecurity 5. Recover from a cyberattack and update future response capabilities based on lessons learned. Backups of data and virtual system images can help in this regard. The goal is to return to a normal state of operation, but this requires a clear definition of what that normal state is. Key Roles and Responsibilities The five primary activities of the NIST Framework are carried out at an airport by senior manage- ment, IT personnel, airport staff, consultants, and tenants. Their roles are illustrated as the rows in Figure 3. These key roles are supported by a variety of other stakeholders from within the airport, as well as third party service providers. The manner in which each of these roles carries out cyber- security activities is illustrated by the arrows in Figure 3. These primary and supporting roles are defined in detail in the Staffing section under Resources Required in Chapter 5 of this guidebook. An interactive version of Figure 3 is available in the multimedia material. This lesson on the process of establishing a cybersecurity program describes the overall approach to establishing a cybersecurity program and the key roles involved. Each step of the flowchart provides a link to further information about each step. Cybersecurity Tasks Within each of the five primary activities identified by the NIST Framework is a series of tasks that are carried out by individuals who fulfill the previously identified roles. These tasks are represented by the boxes in Figure 3 and are described in the general order in which they are carried out: Identify Threats to an airportâs data and systems exist and are increasing in number and sophistication. The first task for IT and facility managers is to identify threats that may impact airport data and systems. Actors, encompassing hackers, nation states, criminal organizations, and even insiders, will carry out cyberattacks against an organization by exercising a threat where they believe vulnerability exists. Actors should be classified based on their skill level, available resources, and motives. This information is referred to as attribution and can help in responding to and recovering from an attack. Motives are the reasons actors carry out threats. Knowing the types of motives (whether it is to obtain salable information such as credit card numbers, to disrupt operations, or to exploit sensitive information) can help when prioritizing countermeasures, as well as responding to and recovering from an attack. Vectors are the avenue or channel an attacker uses to conduct an attack. Identifying and under- standing the possible vectors that an actor may use can help in assessing the likelihood of an attack. Targets of cyberattacks include IT systems and ICS, as well as the data contained within or conveyed by these systems. An inventory of the potential targetsâincluding their criticality to airport operations; users served; vendors; software versions, patches, and updates; and data stored and exchangedâ is essential information to a vulnerability assessment. This information can be collected during an IT master plan or other initiative but should be kept up to date as existing systems are reconfigured and new systems are installed. Maintaining a detailed configuration management database will make protection and detection effective.
An Approach to Cybersecurity at Airports 13 Estimate the likelihood of specific cyberattacks by reviewing the numerous combinations of threats, actors, vectors, motives, and targets that exist. The likelihood of these scenarios should be quantified to the extent possible. These quantitative rankings can be recalibrated over time as threats evolve, attacks occur, and lessons are learned. Estimate the impact of each vulnerability, should it be exploited by an attack, to determine the level of data, financial, or operational loss that could occur. Factors that should be taken into consideration include the impact to airport and National Airspace System operations; loss of personal, confidential, sensitive, or financial data that may occur; potential to violate regulatory requirements; number of affected users and stakeholders, as well as loss of reputation and public concern. The Cybersecurity Assessment and Risk Management Approach (CARMA) from DHS provides a methodology for assessing cybersecurity risks to critical infrastructure. Vulnerability assessments should summarize the threats to which airport data and systems are exposed, as well as the impact that a successful attack may have on data and systems. Vulnerability assessments may be carried out for all data and systems or for specific subsets deemed to be a higher priority. Senior management with the assistance of the CISO, as well as IT and facility managers, should prioritize vulnerabilities from those that should be addressed urgently, to those that should be addressed as resources are available, to those that are acceptable without mitigation. Protect Senior management should allocate funding and staff resources based on the prioritization of vulnerabilities to be addressed, their tolerance for risk, and the availability of limited resources. Countermeasures should be led by the CISO and implemented by IT and facilities staff, possibly with the support of external providers, based on the priorities established and resources allocated by senior management. Procedures will be necessary to ensure that countermeasures have been properly established and are being carried out. Policy that is endorsed and enforced by senior management will be required to ensure procedures are followed. Patches and Updates to systems, especially those deemed essential from a security perspective, should be applied as they are made available by vendors. This process should be automated to the extent possible. Training material should be developed or procured to inform airport managers, staff, con- sultants, and tenants of their responsibilities with regard to implementing countermeasures. Training should be required of all staff, consultants, and tenants over which the airport has authority as a matter of policy. This training should be required of new hires and periodically of all staff, consultants, and tenants. Best practices that support the countermeasures employed by the airport should be carried out by all managers, staff, consultants, and tenants. Detect Reports of anomalous activity of systems, suspicious human activity, and data breaches should be promptly communicated to the individuals responsible for cybersecurity at the airport. These reports may come through help desk personnel, managers, or security personnel. Monitor networks through software or hardware that is on-site or within data centers of external providers. Alerts of anomalous activity, attempted or unusual access requests, suspicious network traffic, or other events that may indicate an attack has occurred should be provided to designated IT personnel. Critical alerts should be conveyed to the CISO as soon as possible. Determine the impact of the reported activities and monitoring quickly using information collected and recorded in the inventory and vulnerability assessments.
14 Guidebook on Best Practices for Airport Cybersecurity If an issue is detected, those responsible for cybersecurity at the airport should promptly take the appropriate actions. In accordance with the airportâs communications policies, inform stakeholders who have previously been identified as being able to assist or who may be affected. Individuals responsible for cybersecurity should work with senior management as well as the communications staff to determine the appropriate content, timing, and distribution channel(s) of information regarding the cyberattack that has occurred. Respond Analyze the attack to determine the severity of the impact, the cause, and the remediation actions that can be taken. The inventory, risk assessment, and metrics quantifying the normal state of operations should be taken into consideration. Triage should be conducted using the analysis described above as input to prioritize the actions that can be taken to react to the attack. Contain the causes and effects of the attack to the extent possible by quarantining malicious code, shutting down systems, closing network traffic, and other means. As these measures may affect legitimate and in some cases critical operations, backup procedures should be established so that they can quickly be implemented when needed. Remove the cause of the attack by deleting malicious code or rolling back systems to the last known stable state. The application of configuration management principles is critical for this to occur rapidly and efficiently. Recover Restore data and systems to their normal state as quickly as possible. This requires that the normal state has been defined, which should be done as a part of the inventory process. Metrics should also indicate typical user loads and network traffic. Metrics should be tracked to quantify the effect of the attack so that lessons can be learned and used to re-prioritize countermeasures to reduce the likelihood of similar attacks occurring in the future, as well as to improve response to other attacks. The activity areas, roles, and tasks described here and illustrated in Figure 3 form an approach to assessing and reducing the cybersecurity risks faced by airports. While this approach is founded on best practices, it is not the only option and should be adjusted to the needs of each airport based on its size, risk tolerance, and resources. Regardless of how cybersecurity is approached, the underlying goal should be to identify and address vulnerabilities to satisfy the risk aversion of senior management in an efficient and cost-effective manner. Threats Threats are actions that can adversely affect an airportâs operations or assets (Committee on National Security Systems 2010). As airports increasingly use technology to support customer service (Ranasinghe 2014), improve aircraft operations (Port Authority of New York & New Jersey n.d.), enhance security (TSA 2014), become sustainable (Peters and Woosley 2009), and achieve many other strategic goals, they become more exposed to threats against their digital data and electronic systems. These cyber threats are increasing in number and in sophistication (Rainie et al. 2014). Individuals and organizations (aka actors) that are carrying out such attacks are also growing in number and sophistication. Nation states, organized crime, and corporations are investing substantial resources in cybersecurity offense. As the proliferation of interconnected electronic devices and the publicâs reliance on them grows, this trend is likely to continue. Know your enemy . . . âSun Tzu
An Approach to Cybersecurity at Airports 15 An important first step in cybersecurity is to understand the type and sources of threats that airports face. As Sun Tzu, the ancient Chinese General, strategist, and philosopher, stated âKnow your enemyâ (Sawyer 2007). This does not mean that airports need to study every aspect of cyber threats, actors, and motives. There are agencies, companies, and individual consultants that are dedicated to this mission. Airports should, however, be aware of the resources that exist. These include agencies such as the Federal Bureau of Investigation (FBI), organizations such as MS-ISAC, and third party service providers. From these resources, airport CISOs should understand the threats that may expose vulnerabilities to their systems so that they can prioritize efforts to deploy countermeasures. A place to start is with the NIST Guide for Conducting Risk Assessments, which identifies threats and organizes them into the following categories to facilitate the assessment of the impact they may have (NIST 2012): Confidentiality Breach Counterfeit Hardware Data Breach Delayed Technology Refresh Denial of Service Host Exploit Inadequate Monitoring of Events Ineffective Disposal Ineffective Testing Insider Threat Intentional Data Alteration Intentional Data Theft Internal Threat Labor Action Lack of Internal Control Malicious Code Appendix A provides a more detailed list of the specific threats that fall into these categories. There are hundreds of specific threats that airports should evaluate. Some noted by Bob Cheong of Los Angeles World Airports are distributed denial of service (DDoS), targeted botnet attacks, click-jacking, cross-site scripting, insider threats, and Trojan humans (Cheong 2011). This list and even the one in Appendix A are not comprehensive as new cybersecurity threats are constantly emerging. These lists, however, provide a place to start. A continuous process of scanning industry alerts and bulletins is also recommended. Affected Data and Systems The second step in an effective cybersecurity approach is to know what may be affected by successful cyberattacks. The second part of Sun Tzuâs quote is to âknow yourself.â There is a broad variety of systems that can be adversely affected by the cybersecurity threats identified in the previous section. These systems encompass traditional IT infrastructure such as desktops, servers, and network devices, as well as ICS such as access control devices, heating and cooling controls, and baggage handling systems. Systems that may be vulnerable are not just those connected to the Internet. As one interview respondent said, âif bits or bytes pass through it, it may be vulnerable.â With the growing trend of employees using personal devices for work purposes and the proliferation of cloud-based Organized Campaign Pandemic Phishing Physical Exploit Social Engineering Supply Chain Integrity Third Party Breach Unauthorized Access Unauthorized Host Access Unauthorized Network Access Unauthorized Physical Access Unauthorized Reconnaissance Unintended Data Compromise Unintended Data Leak Unpatched Hosts . . . and know yourself . . . âSun Tzu
16 Guidebook on Best Practices for Airport Cybersecurity services, the systems that may be affected are not limited to those that the airport directly con- trols. Furthermore, with the implementation of the Federal Aviation Administrationâs (FAAâs) Next Generation Air Transportation System (NextGen) Program, as well as the ongoing auto- mation of aviation-related systems, the number of systems of concern to airports is growing. Appendix B identifies over 200 types of systems typically found at airports that may be affected by cyber threats. These systems are grouped into the following 10 categories: Administration Airline & Airside Operations Cloud Based Development Employee Devices Facilities & Maintenance IT & Communications Landside Operations Safety & Security Tenant Systems that are relevant to airports from a cybersecurity perspective can also be categorized by the domain in which they operate. The domain of the system, often but not always, is an indicator of who is responsible for the information that flows through it. Following are the primary domains of systems that should be considered when establishing a comprehensive cybersecurity program for an airport: Airport IT infrastructure encompasses hardware, such as computers, servers, routers, switches, and hubs; backend (e.g., database) and frontend (i.e., applications used by end users) software; network cabling, Internet connectivity, and security components; and humans including administrators, developers, and support staff (Janssen 2014). Airport facility control systems such as heating and ventilation control, airfield lighting, baggage handling, supervisory control and data acquisition (SCADA), and building control systems (BCS), and other ICS computers, devices, and cabling. Employee devices that airports may allow to be used for work purposes such as smartphones, tablets, laptops, computers (while working at home), and digital cameras. Airline ticketing, passenger processing, dispatching, crew scheduling, and aircraft operations. Some of these systems may utilize common use terminal equipment, common use passenger processing systems, common use self-service, flight information display systems (FIDS), and baggage information display systems that operate on airport-owned IT infrastructure. Even if airlines own and operate their own hardware and software, they may rely on airport network, Internet, and power connections. Some airlines may also use Avionics Full Duplex Switched Ethernet (AFDXÂ®), engine health and usage monitoring systems, and electronic flight bags that at times rely on airport IT infrastructure (Roadmap to Secure Control Systems in the Transportation Sector Working Group 2012). Non-airline tenants may connect point-of-sale (POS) devices, parking access and revenue control systems, automatic vehicle identification systems, and other devices to airport IT, communications, and power networks. Consultants and contractors, whether they work on-site or off-site, may use airport-owned, company-owned, or personal devices that are connected to airport IT networks through VPN connections or other means. Even if not connected, they may transfer data onto the airportâs network via universal serial bus (USB), portable hard drives, and other media. Public accessible Wi-Fi network connections, wayfinding kiosks, digital paging, and other devices are increasingly being made available at airports to improve customer service. All of
An Approach to Cybersecurity at Airports 17 these devices are publicly accessible, by definition, and a surprising number are not secure. A study in 2008 of private (i.e., non-hotspot) Wi-Fi networks accessible within 14 air- ports around the world found 80% were unsecured or using flawed wired equivalent privacy (WEP) encryption. Some of these were used to support critical airport operation (Infosecurity Magazine 2008). A conceptual diagram that highlights areas of a typical airport where cyberÂ security is particularly relevant is provided in the multimedia material. Both function and domain are important considerations when inventorying systems that may be affected by cybersecurity threats. To help assess the vulnerabilities that those systems may introduce and the countermeasures that can be employed to address them, airport IT managers, staff, or consultants responsible for cybersecurity should collect the following information: â¢ System criticality to airport safety and operational efficiency â¢ Ownership and maintenance responsibility â¢ Users and level of use based on granted access rights â¢ Make/model/version â¢ Configuration settings â¢ Communication protocols and ports utilized â¢ Status of patches â¢ Status of warranty â¢ Data considerations â Volume â Directionality of flow (to and/or from airport) â Requirement for create, retrieve, update, and delete privileges â Sensitivity, with special attention and handling given to SSI â¢ Airport and vendor point of contact The data that passes through these systems is also important as it is often the ultimate target of cybercriminals. Data may include personal information on staff, tenants, and passengers; financial information; operational statistics; engineering drawings; procedures; and a variety of other documents. As part of the assessment of impacted systems, the sensitivity and confidentiality of the data stored and transmitted on those systems must be considered. Ideally this information should be collected as a part of an airportâs IT master plan, which will often include additional details relevant to the effective use and maintenance of systems at airports, such as useful life remaining and funding requirements (Purnell et al. 2012). These plans need not be complex and it is often helpful to organize the information characterizing each system in a tabular format for easy reference, ranking, and sorting. It is recommended that IT master plans be updated every 24 to 36 months (Purnell et al. 2012). With the rapid evolution of cyber threats, this update cycle may be the longest limit airports should consider. That is, however, a decision airport management needs to make based on the relative costs and benefits of updating the master plan versus other activities competing for limited funds. Regardless of how often an airport updates its inventory of systems, it is recommended that systems be identified as they are installed, updated, or decommissioned so that the inventory remains as current as possible at all times. To accomplish this, the airport should establish a policy whereby all system changes are reported to the CISO before they are implemented.
18 Guidebook on Best Practices for Airport Cybersecurity The CISO or their staff and consultants should maintain this inventory of airport systems potentially affected by cyber threats. The categorized list of systems in Appendix B can serve as a checklist to help ensure all systems have been considered; however, the list provided should not be considered all inclusive as each airport may have unique systems and the range of systems in use by airports is constantly evolving. Countermeasures Precautions that can be implemented to protect an airportâs systems against cybersecurity threats are referred to as countermeasures. They are controls that protect the confidentiality, integrity, and availability of data processed, stored, or transmitted by airport systems. NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (Joint Task Force Transformation Initiative 2012), has identified, categorized, and prioritized cyber- security countermeasures. They are grouped into three classes and 18 types as listed in Table 1. The classes correspond to the types of staff typically responsible for each type of countermeasure. Appendix C provides a more detailed list of countermeasures based on industry best practices, NIST 800-53, and other material. Cross-references are provided to link each countermeasure with additional data in the NIST 800-53 document from which they came. It is recommended that airports consider implementing countermeasures in a prioritized manner to address vulnerabilities that were identified during a cybersecurity vulnerability assessment. The NIST recommends that countermeasures be given one of three priority codesâ P1, P2 or P3âand considered in that order. The assignment of codes does not provide a level of security; it only reflects the relative importance as chosen by the airport team. In the learning and recovery phase, these priorities may be revised. While many countermeasures must be implemented by IT professionals, system vendors, and airport management, the cybersecurity program should educate airport staff, tenants, and consultants on the practice of good cyber hygiene habits. By incorporating these practices into Class/Staff Type Management Planning Program Management Risk Assessment Security Assessment System Services and Acquisition Operational Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Personal Security Physical and Environmental Protection System and Information Integrity Technical Access Control Audit and Accountability Identification and Authentication System and Communications Protection Source: Derived from Joint Task Force Transformation Initiative (2012). Table 1. Categories of countermeasures.
An Approach to Cybersecurity at Airports 19 their daily work life at the airport, an airportâs vulnerability to a cyberattack can be reduced. The following list identifies good cyber hygiene habits: Avoid Social Engineering TacticsâSocial engineering tactics are actions taken by adversaries to trick staff into divulging confidential information. Phishing emails that are constructed to appear as if sent from a legitimate source that prompt readers to click on a link or open an attachment are an example. All airport employees, consultants, and tenants should be aware of the most common social engineering tactics and learn how to avoid falling victim to them. This can be accomplished through training. Create Strong, Protect, and Frequently Change PasswordsâBest practices for password management should be part of the ordinary habits for airport staff. For example, numbers and letters should be used in passwords that are difficult to crack but easy to remember. Passwords should also be changed on a monthly basis. They should not be written down and stored in conspicuous locations. Managers or staff overseeing the installation of a new system should check to ensure that default passwords set by manufacturers or installers are changed to strong passwords that are unique to the airport and comply with the airportâs policies. Identify Suspicious BehaviorâAny behavior that is out of the ordinary should be identified. This behavior may be actions carried out by other people, such as âshoulder surfing,â i.e., look- ing over the shoulder of a user as they enter their credentials, and taking photos of computer screens or electronic devices. Suspicious behavior may also be seen in systems. Examples of such behavior, or anomalous activity, include web browsers showing content or redirecting to pages users did not request, applications returning information that is suspicious or not responding promptly, and abnormally slow computer performance. Identify and Protect SSIâSSI is a special class of information about physical security systems that must be protected as described in Title 49 of the Code of Federal Regulations (CFR), Part 1520. As part of this federal regulation, SSI must be labeled and handled appropriately. If airport staff, tenants, or consultants encounter SSI that they do not have rights to view and a current need to know, that information should be returned to the airport. If they do have permission and a need to know the information, then they should protect that information as required by airport policy. Communicating (and periodically reminding) employees and consultants of these responsibilities can be difficult, especially at larger airports. To help, some airports have incorporated SSI into their training programs and/or displayed posters in common areas. Patch Personal Devices and ApplicationsâAs BYOD to the workplace becomes more common, the burden of keeping those devices updated with the most recent versions and patches falls onto the staff member who owns the device. Many popular applications (e.g., Adobe Acrobat, Internet Explorer) are exploitation targets. Cyber criminals often develop code that tricks users into entering credentials or installing code that contains malware. These and other daily best practices are described in more detail in the training section of the multimedia material.