Guidebook on Best Practices for Airport Cybersecurity (2015)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

39 Chapter 4 covered how to identify cyber threats, assess their likelihood and impact, and imple- ment countermeasures that provide protection. This chapter discusses how these activities can be supported and sustained by a comprehensive cybersecurity program. Over three-fourths of the organizations interviewed [32 of 41 (78%) respondents who answered the question] indi- cated that their organization has a cybersecurity program in place. Only half [19 of 39 (49%) respondents who answered the question], however, felt that the program provided adequate protection. The objective of this chapter is to help airports that do not have a cybersecurity pro- gram establish one, help those that do have a cybersecurity program improve its effectiveness, and, ultimately, help all airports sustain cybersecurity programs in a manner that is based on industry best practices. The key components of a cybersecurity program include the following: Governance encompassing laws, regulations, policies, standards, specifications, and procedures. Training to ensure that senior executives, managers, staff, tenants, consultants, and others understand the importance of cybersecurity and their role in protecting airport data and systems from attack. Resources, including the following: – Staff roles, responsibilities, and skills that are required to support a successful cybersecurity program. – Funding required to support a cybersecurity program and potential sources of funding to consider. – External support that can be tapped to help establish and sustain a cybersecurity program. Ongoing activities to maintain and continuously improve the effectiveness of a cybersecurity program. Risks of implementing a cybersecurity program and how to mitigate them. These topics are intended to break the various aspects of an effective cybersecurity program into manageable components. Each topic is described in more detail in the sections that follow. C H A P T E R 5 Developing a Cybersecurity Program Information for IT managers and senior managers on the importance of, and how to approach, establishing and sustaining a cybersecurity program founded on best practices is provided in the multimedia material. Cybersecurity Governance Cybersecurity governance refers to how a cybersecurity program is controlled by the people entrusted to do so. Governance originates from a strategic perspective, but it guides and influences

40 Guidebook on Best Practices for Airport Cybersecurity the daily activities of these individuals as well as all stakeholders. Characteristics of governance include the following (Bodeau et al. 2010): • How well the cybersecurity program is aligned with the overall risk management approach of the airport • How pervasively and uniformly cybersecurity policy and measures have been implemented throughout the airport organization • What level of support senior management provides • How agile the program is to adapt to threats, countermeasures, and organizational change Cybersecurity governance encompasses the legal requirements and regulations by which the airport must abide, policies that require standards and procedures to be followed, processes to ensure that data and software meet the airport’s criteria, and contract and procurement mech- anisms to obtain the proper external support. Collectively these elements allow an airport’s cybersecurity program to be carried out in a consistent manner that is aligned with the overall organizational objectives. They also help managers make informed decisions about the priority of and the investment in specific countermeasures. The sections that follow discuss these elements of cybersecurity governance in more detail. Legal Requirements and Regulation There are numerous laws, regulations, and legal agreements to which airports are subject that should be addressed by a cybersecurity program. For each, senior management must determine whether the law or regulation is applicable to their organization and, if so, how they are going to enforce it. Following are some of the primary federal laws and regulations that airports should consider: 49 CFR 1520 defines how SSI is to be protected. SSI is information obtained or developed as security activities are conducted (49 CFR 1520.5). This encompasses information on security plans, directives, circulars, performance specifications, security measures, screening information, and training materials. Such information must be labeled as SSI (49 CFR 1520.13) and handled in a specific way (49 CFR 1520.19). Many airports have implemented SSI policies that communi- cate these requirements to their staff and consultants. Often these policies require individuals who have a legitimate need to access SSI to sign a form that acknowledges their willingness to adhere to this regulation. The CISO should ensure that employees and consultants are aware of the airport’s policy and are periodically reminded of their responsibilities. The Health Insurance Portability and Accountability Act provides regulations on the manage- ment of health information of individuals. This act pertains principally to health care providers and insurers, although it also applies indirectly to employers, such as airports, who provide health care insurance and retain personally identifiable information (PII) on employees. The Electronic Communications Privacy Act of 1986 prohibits unauthorized electronic eavesdropping (Fischer 2013). While there has been some debate as to whether this law encompasses emails temporarily saved on servers while in transit, airports may want to document their access to emails sent to or received by employees as part of their employment policy. The Computer Fraud and Abuse Act regulates abuse of “protected” computers, which include computers used in or affecting interstate or foreign commerce or communication. This act covers actions such as unauthorized access of or knowingly damaging such computers. Accord- ingly, airports are given legal protections against cyberattackers that extend beyond most organizations. The Fair Credit Reporting Act provides regulations for employers who use credit information for hiring, as well as businesses which provide data to credit rating agencies. This applies to the hiring and employment practices at airports that take these factors into consideration.

Developing a Cybersecurity Program 41 While the foregoing laws and regulations are pertinent to airports, there are a number of addi- tional requirements placed on federal agencies. These are listed below as a reference. Airports may wish to consider some of these when defining their policies and procedures (Fischer 2013): The Federal Information Security Management Act of 2002 clarified the NIST’s role and strengthened its cybersecurity responsibilities, established a central federal incident center, and made the Office of Management and Budget (OMB) responsible for promulgating federal cybersecurity standards. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, expanded an existing program for information sharing and collaboration between the government and the private sector, established a process for identifying and prioritizing the protection of critical infrastructure, tasked the NIST to lead in developing a framework of cybersecurity standards and best practices for protecting critical infrastructure, and required regulatory agencies to determine the adequacy of current requirements and their authority to establish requirements to address the risks. Many aspects of this order highlight the relevance of cybersecurity to critical infrastructure, of which airports are a vital component. National Security Presidential Directive 51 and Homeland Security Presidential Directive 20 established a National Continuity Policy to ensure the essential executive-level government functions are sustained in the event of a catastrophic emergency. The Federal Continuity Directive developed by the DHS provides operational guidance to support this policy. Portions of this guidance highlight the importance of collaboration and planning activities with local government that manages critical infrastructure such as airports. The Clinger-Cohen Act of 1996 made agency heads responsible for ensuring the adequacy of information security policies and procedures, established the CIO position in federal agencies, and gave the Secretary of Commerce authority to mandate federal cybersecurity standards, a responsibility later shifted to the OMB as described previously. The E-Government Act of 2002 serves as the primary legislative vehicle to guide federal IT initiatives to make information and services available online. It includes a number of cyber- security requirements that may be relevant to airports. Laws and regulations that are relevant to cybersecurity may also be imposed at the state, county, or municipal level. Despite the relatively new federal legislation described in the previous paragraphs, some feel that the federal government is currently grid locked in bi-partisan disputes, which will require states to become more active, especially in the wake of increasing retail and financial cyberattacks. States including Massachusetts and California are leading the way, and others are likely to follow (Camhi 2014). This trend is relevant to airports as many are directly managed by state, county, and municipal government agencies. Individuals leading cybersecurity programs at airports should research the applicable laws by identifying the CIO or CISO of their parent organization and of the jurisdiction they are within. Local or regional FBI agents assigned to an airport as well as cybercrime units within local law enforcement offices can also help identify relevant rules and regulations for airports. Standards and Guidelines Numerous standards and guidelines support cybersecurity. Some of the key ones that airports should consider as a part of their cybersecurity programs are described in the following list. Unlike some of the laws and regulations previously identified, airports are not required to follow the standards and guidelines listed here. This is perhaps why relatively few [9 of 24 (38%) respondents who answered the question] reported using a national cybersecurity standard. As mentioned earlier, there are also few, if any, standards for ICS security at airports. Nevertheless, the research conducted, trends identified in other industries, and discussions with airport IT

42 Guidebook on Best Practices for Airport Cybersecurity professionals suggest that the following standards and guidelines are best practices and should be considered as a part of a prudent airport cybersecurity program. Framework for Improving Critical Infrastructure Cybersecurity was developed by the NIST in response to Executive Order 13636, which called for the creation of a cybersecurity frame- work to protect our nation’s critical infrastructure. This framework provides a high-level structure for approaching cybersecurity at a national level. The NIST, working in conjunction with the DHS, developed and is promoting the application of these standards within governmen- tal agencies and the private sector. In developing these standards, the NIST looked at the existing body of standards, regulations, and guidelines. For example, the international community had already developed the ISO 27000 series of standards. In addition, the NIST requested input from industry, academia, and government to create the final framework that was published February 2014 as Version 1.0. The result is a framework that delineates five high-level activities. These high-level activities establish the basis of the cybersecurity approach recommended previously in this document. Information Security Management Systems requirements (ISO/IEC 27000:2013) is a broad set of standards that define requirements for establishing, implementing, maintaining, and continuously improving an information security management system. These requirements are referenced extensively within the NIST Framework described previously. The ISO 27000 series of standards includes requirements for the assessment and treatment of information security risks as tailored to the specific organization. Complying with the ISO/IEC 27000:2013 information security management standards represents one approach to meeting the NIST Cybersecurity Framework. ISO details specific methods and processes that can be mapped directly to the five phases in the NIST framework outline and offers approaches for organiza- tions of any size and budget. An Introduction to Computer Security: The NIST Handbook (NIST 800-12; Guttman and Roback 1995) provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially, this document was aimed at the federal government although most recommendations in it can and are being applied within non-federal agencies and other organizations as well. Although this document was originally published in the late 1990s, it remains an excellent source of training for personnel seeking to become acquainted with computer security best practices. Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53) provides a detailed and prioritized list of countermeasures. The document was devel- oped by an interagency working group with members from civil, defense, and intelligence agencies. It has been revised several times to keep up with the rapidly evolving landscape of threats and the countermeasures available to confront them. The catalog is an excellent list of threats for airports to consider and is provided as a reference in Appendix A. Guide to Industrial Control Systems Security (NIST 800-82; Stouffer et al. 2013) provides guidance on the threats against and countermeasures available to help protect ICS from cyberattack. The document describes typical ICS topologies and where vulnerabilities may exist. It acknowledges the unique performance, reliability, and safety characteristics of these systems that must be considered as the impact of threats are assessed and countermeasures are implemented. North American Electric Reliability Corporation’s critical infrastructure protection plan encompasses nine standards and 45 requirements designed to protect the nation’s power system from cyber, physical, and other types of attack. Many of the requirements can support protection of airport data and systems. PCI DSS are intended to provide guidance and certification criteria for organizations that process credit cards; however, the applicability of these standards is far more encompassing. This standard is described in detail in the following section.

Developing a Cybersecurity Program 43 Despite the relevance of these standards, some respondents [4 of 24 (12%) who responded to the question] replied that the available standards were not appropriate for their environment. A 2014 Verizon study found that this is particularly true among smaller organizations that do not have the depth of knowledge or specialization in cybersecurity (Verizon 2014). Although cybersecurity standards have not been fully embraced by airports, greater awareness of them through this and other publications may increase adoption rates. This trend will likely continue as new cybersecurity standards and guidelines emerge with a greater focus on aviation- specific cybersecurity needs. Individuals responsible for cybersecurity programs at airports should consider standards an effective resource for developing their policies and procedures. Payment Card Industry Data Security Standards The PCI DSS have been established by major credit card companies, including American Express, Discover Financial Services, JCB International, MasterCard, Visa Europe, and Visa Inc. The PCI Security Standards Council was established in 2004 and funded, in part, by these firms, as well as the fees generated through training, assessment, and other services. Their motive was to counter the growing breach of credit card information that can occur at the POS, in transit, or in a database. To elevate the awareness and level of protection credit card processors have in place, the PCI Security Standards Council published the PCI DSS, which is now in Version 3.0. According to a 2014 study, “Version 3.0 [of the] PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning” (Verizon 2014). The PCI DSS represent a comprehensive set of practices, assessment methodologies, and certification guidelines for protecting credit card information, issuers and processors, and, ulti- mately, consumers. The standards encompass much more than payment processing and include aspects of employee training and awareness as well as network and IT operational planning and practices. PCI DSS furthermore provides a solid foundation for the protection of PII, which is now subject to regulation in 47 states. The first such law was passed in 2002 in the state of California as SB 1386 and became effective in 2003. Other states have followed with their own variants. Of interest to airports is that SB 1386 relates to the protection of the information of California residents wherever that data resides. So a breach of PII in one state could require notification of residents in many other states. For these reasons, several airport CIOs and CISOs feel that the PCI DSS are good practice regardless of the level of credit card processing their airport does. It is also a requirement that credit card companies may place on airports that process credit cards to collect parking, employee badge, and other fees. Airport tenants may also transmit credit card information via the airport’s network, transferring some of the responsibility for protecting this information to the airport. Accordingly, most respondents [24 of 31 (77%)] claim their organizations comply with PCI DSS. This is, however, lower than the 84% found across other industries in a Verizon survey of 4,000 companies (Verizon 2014). Note that many companies report only a Level 1, or basic, compliance. Those that comply at a higher level, according to the Verizon survey, are statistically less likely to experience a breach. General Compliance Since the PCI DSS were introduced 10 years ago, a significant number of organizations have implemented them or become compliant (Verizon 2014). Despite this growth, many organiza- tions have not yet achieved the basic level of compliance. Those organizations that are breached

44 Guidebook on Best Practices for Airport Cybersecurity tend to be less compliant. This problem continues to grow as evidenced in the growing amount of credit card fraud losses as summarized in Figure 5 (HSN Consultants, Inc. 2013). Recent, heavily publicized breaches of credit card information at national retailers, including Target and Home Depot, further accentuate the problem (Depner 2014). Industry analysts expect this trend to continue (McAfee 2014). Applicability to Airports To be PCI DSS compliant, an organization must meet the 12 requirements in the following list, which encompass business processes and training as well as securing network, software, and devices (PCI Security Standards Council 2013). Many of these countermeasures have been dis- cussed in other sections of this document. They are repeated here as they are specifically called out as a requirement of compliance with PCI DSS. Install and maintain firewall(s) to protect cardholder data. It is recommended that an orga- nization’s network infrastructure be segmented to isolate the cardholder data environment (CDE) from other networks. In an airport, there may be multiple CDEs that are kept indepen- dent of each other to prevent the breach of one network in a manner that impacts the integrity of another. For example, individual airline tenants may have isolated networks or be separate from the network provided for retail operations. Properly configured firewalls can isolate CDE networks from each other as well as the larger open, public network that should be con- sidered insecure. Some airports have achieved this level of isolation by outsourcing activities that require credit card processing, such as the collection of parking fees. Some feel that the loss of revenue to these third party vendors is offset by the reduced risk level they achieve. Do not use vendor-supplied default passwords and other security parameters. Vendors ship systems with default settings and administrative passwords. These default passwords are often commonly known and therefore a vector for breach. In fact, there is a public website list- ing default passwords for 485 vendors with approximately 2,000 passwords (CIRT.net 2014). The selection of settings and choice of passwords should be part of an overall configuration management and security plan. Protect cardholder data stored in databases. Protection methods such as encryption, trunca- tion, masking, and hashing are critical to protecting cardholder data or other sensitive data. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other Source: HSN Consultants, Inc. (2013). Figure 5. Global credit card losses.

Developing a Cybersecurity Program 45 effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. Restrict physical access to vital data and systems. Airports are very familiar with the need to physically restrict access to certain areas and systems. This requirement applies to data and systems that handle, route, store, process, or enter critical information. Visitors including non-badged contractors, vendors, customer service representatives, and repair personnel must be escorted by an authorized airport staff member. Use strong encryption and key management for vital data in transit across public networks. The use of VPN, the secure hypertext transfer protocol, and SSL encryption has become industry standard for the transmission of sensitive or confidential data. Maintaining a robust key management system or automating with one-time session-based keys reduces the vulner- ability to man-in-the-middle attacks or sniffing. Protect all systems against malware and regularly update antivirus software. As new malware is created, anti-malware vendors create new signatures and procedures to mitigate the potential damage. The rate at which new malware is created, however, continues to grow and zero day attacks will continue to be discovered. Therefore, staying current with the real- time intrusion detection and prevention systems is now a standard requirement. Patching applications and operating systems is also an important measure. This can be a challenge when legacy applications cannot keep up with the rapid changes in newer systems. Segmentation, isolation, and monitoring of such legacy systems are the next line of defense for these cases where security updates are not available or anti-malware solutions are not offered. Develop and maintain secure systems and applications. New or expanded systems should be designed to be as isolated as possible without impairing any required functionality. This includes not connecting other databases, systems, or networks to the CDE. Any new application should follow secure development processes and testing to avoid common vulnerabilities such as buffer overflow, cross-site scripting, or structured query language (SQL) injection. Restrict access to cardholder data based upon a business need to know. Segregate access to critical infrastructure with strong authentication and only provide credentials to a limited number of the staff members that have a valid need to know. Use distinct and unique credentials for the sensitive data system components to prevent escalation of privileges that can impact more critical systems. For the most sensitive systems, two-factor authentication is recommended and in some instances required. Identify and authenticate access to system components. Unique access credentials for all users are required. Authentication methods should curtail frequent access attempts with incor- rect credentials. If such frequent attempts occur, notification or alerts should be sent to system administrators who may be able to prevent intruders attempting to gain access. Monitor and log all access to critical systems. Logs for network access, critical systems access, and system change are critical for monitoring, detecting, and minimizing the impact of a cyberattack. These logs must be retained for at least 6 to 12 months in order to analyze and trace an event when something does go wrong. Regularly test security systems and processes. Malicious entities and security researchers are constantly discovering new vulnerabilities. The procedures, systems, controls, and hardware and software configurations must be put on a regular test schedule to ensure adequate protection. The period for testing will vary by component as some vectors such as mobile and wireless are evolving more rapidly than others. Maintain a policy that addresses information security for all personnel. A strong security policy demonstrates to all personnel the importance that the airport places on cybersecurity. Personnel include vendors, contractors, and external personnel that regularly work at the airport. Regular training covers the awareness portion of PCI DSS. The organization is best protected when everyone who may touch cardholder data understands the importance of managing that data. Extending this to the critical data that is used for the safe operation of the

46 Guidebook on Best Practices for Airport Cybersecurity airport provides the best risk posture possible. PCI training can be offered to airport personnel, tenants, and consultants. While PCI DSS compliance is a requirement for airports that process credit card information, many are implementing some or all of the preceding countermeasures as a matter of good practice. Note that, while PCI DSS compliance may be a requirement or good practice, it has “never been a catchall solution” (Depner 2014). It is “more like an acknowledgment that you’re not incompetent” (Depner 2014) and is a good set of countermeasures that airports should consider. To determine the scope of PCI implementation best suited to an individual airport, it is recom- mended for stakeholders to complete a questionnaire to discover all of the systems, networks, devices, and processes involved in the entry, storage, transmission, monitoring, and interactions with credit card data. Once the scope is determined, another questionnaire can be completed to determine the airport’s readiness and what steps are required to move it toward compliance. Policies There are numerous policies that should be considered and, as appropriate, adopted by an airport as a part of its cybersecurity program. These policies will help ensure that the airport remains in compliance with the laws and regulations as well as the applicable standards and guidelines previously described. They will also help ensure that staff, tenants, and consultants are aware of and embrace the countermeasures that are germane to them. Following are some of the primary policies that airports and other organizations have adopted in support of cybersecurity: Acceptable use of data and systems should be established by policy. All staff, tenants, consul- tants, and other stakeholders who have access to airport data and systems should be required to use these resources in a manner deemed acceptable by senior management. An acceptable- use policy should cover what types of data and systems can be used for specific types of work activities by specific individuals based on the role they play, how access credentials to these resources should be protected, and how to report intentional or mistaken misuse. SSI should be defined and handled as called for in 49 CFR 1520. While this regulation documents national policy, it is general and does not specifically identify the information that may be considered SSI at a specific airport. A recommended best practice, which some airports have followed, is to develop a policy document that references 49 CFR 1520 but extends it to list the specific information found at the airport that is SSI. This policy document should name specific security systems and procedures found at that airport, using terms familiar to managers and staff. The policy should also define or, at least, reference procedures on how SSI is to be handled, provide instructions on how to request access to SSI, name who at the airport has authority to grant this access, and explain what to do if SSI is inadvertently released. This policy should be distributed to any airport staff, tenants, or consultants that may come into contact with SSI. It is important that these individuals understand that this policy is a critical job responsibility and it is also critical that they receive the necessary training on how to identify, handle, and dispose of SSI. Private information should be defined and protected as a matter of policy. This will help the airport remain compliant with laws that protect personal health care records, credit card information, and other forms of PII. In some cases, airport staff members may have a legitimate need for this data (e.g., to support employee benefit programs and to charge employees for badge processing and other fees). In these situations, authorized employees must be aware of their rights and responsibilities for handling this information. Others, perhaps as a part of the cybersecurity training, should be aware of what is considered private information, what the airport’s policy is with regard to the handling of private information, and how they should report any deviations from this policy. This awareness will not only help enforce the airport’s privacy

Developing a Cybersecurity Program 47 policies but will also provide some assurance to all employees that their private information is handled in a compliant and conscientious manner. Recommended policies for airports to consider to support cybersecurity best practices are provided for both IT managers and senior managers in the multi- media material. Software and data assurance should be required of all staff and consultants involved with developing software or digital data. This assurance should encompass system specifications that will reduce vulnerabilities in software applications and systems, data specifications that are relevant to cybersecurity, testing procedures for both software and data to ensure they meet these specifications, and a process to certify that these requirements have been met. While software assurance policies are typically focused on IT vendors, they should also be extended to vendors of ICS. Similarly, data assurance policies should be extended beyond the IT developers of databases, web services, and other data sources to include consultants and contractors that develop any form of digital deliverable for the airport. Training should be required of all staff as a condition of employment. Training should also be required of contractors, consultants, and tenants as a condition of their contracts and agreements with the airport. This training should be administered periodically, such as on an annual basis. While the overall message of this training will not change much, the specifics of what to look for and how to react may change as the nature of threats evolve. It is also important that staff, contractors, consultants, and tenants be regularly reminded of their responsibilities. This training is very similar to, and in fact can be administered along with, the annual security training that airports require of individuals who have been issued an airport security badge. Communications about threats, vulnerabilities, and attacks should be controlled by policy. The goal should be to foster quick and efficient communications with appropriate parties but in a manner that does not compromise sensitive information or the airport’s reputation. The policy should also establish how airport managers and staff should react when certain information is received. This should be established and communicated to the appropriate stakeholders well in advance of an attack occurring so that they can respond in an efficient manner without divulging or reacting to inappropriate information. The preceding policies are recommended, but each airport’s management should determine their applicability and how they should be adopted within their individual organization. This requires input from technical staff and perhaps representative staff, vendors, and consultants who will be affected by these policies. These policies should also be consistent with and com- plementary to other policies the airport or its parent organization may have in place. The development of these policies can be led by the individual(s) responsible for cybersecurity, but it is ultimately the responsibility of senior management to endorse and enforce the policies that are developed. Contracts and Procurement Considerations Most of the systems and much of the information used by airports are provided by external service providers or other organizations. It is the airport’s responsibility to ensure that its cyber- security requirements are met before these data and systems resources are installed and used. To achieve this goal, it is prudent that cybersecurity requirements be incorporated as early as

48 Guidebook on Best Practices for Airport Cybersecurity possible into the procurement process so that qualified service providers responding to the airport’s solicitations are fully aware of the requirements they must meet. Simply selecting a qualified provider is not enough. To effectively integrate cybersecurity requirements into the procurement process, IT and facility managers should work with pro- curement managers to ensure that their functional, technical, and security-related requirements are all properly incorporated into system and data procurement solicitations and the contracts that result. Developing such specifications may require the use of external literature, agency, and consultant resources. Selected providers should also be asked to review and recommend security measures that are best practice for their particular product for the airport to consider. Once mutually agreed upon, all cybersecurity requirements should be documented within the provider’s scope of work and checked before final payment is made. These precautions apply to products and services that will ultimately reside on-site at the airport as well as cloud-based services that airports are increasingly using. Some airports [9 of 32 (28%) respondents who answered the question] are already following this best practice. A greater number [15 of 32 (47%) who responded to the question] factor cyber- security needs into their procurement process but do not explicitly incorporate requirements. As cybersecurity awareness increases among senior management, it is likely that more airports will adopt these practices, the most critical of which are as follows: Airport policy should establish rules governing data, software, system, and device procurement requirements and procedures. This should be at a general level, so as to be relevant to all airport procurements that involve data and systems (Information Security Standards 2014). Procurement, IT, and facility managers must collaborate to develop functional, technical, and security-related requirements that are specific to each data resource, system, or device that is procured. In some cases, assistance from an external technical expert who is not allowed to bid on the procurement and has no financial interest in any of the bidders may be required to assist. Commercial-off-the-Shelf (COTS) solutions that have had vulnerability tests and have been operating in similar, ideally airport, environments should be preferred over custom solutions. Where COTS solutions cannot adequately meet airport functional and/or technical require- ments, vendors who propose custom solutions must provide assurance that the solutions have been implemented using cybersecurity best practices (Information Security Standards 2014). Secure outsourced or custom development by requiring developers to protect code from the embedded malware that may ultimately be introduced into the airport environment (Information Security Standards 2014). Secure data provided to consultants and developers by requiring them to adhere to the airport’s acceptable-use policies. Consultants or developers that are required to handle SSI should acknowledge that they will do so in accordance with the airport’s SSI policy and ulti- mately 49 CFR 1520. This should apply to consultants before (i.e., during procurement with provided SSI), during (i.e., while under contract), and after (i.e., after the work has been completed and before SSI is returned or properly disposed) the contract. On-site or remote installation of data, software, or systems should be carried out in accordance with the airport’s IT access and/or physical security requirements. This may require badging of consultants and developers, signing of access and acceptable-use policies, and possibly escorts into secure areas of the airport. It is important that these requirements be clearly stated during the procurement process so that associated costs and time durations are factored into the bids that are received. Unused code or services should be disabled or removed by the developer prior to installation. This limits the exposure of the system due to code or services that are providing no value to the airport. The developer should indicate in the documentation which portions of their

Developing a Cybersecurity Program 49 code and/or services have been disabled as a part of their configuration management process (adapted from ICS-CERT). Documentation should be delivered that details all applications, utilities, system services, scripts, configuration files, databases, other software required, and the appropriate configurations. This should include documentation on revisions and/or patches for each of the computer sys- tems associated with the control system. This documentation should list all ports and services required for normal operation as well as any necessary for emergency operation. This documen- tation should be referenced in the inventory of airport systems (adapted from ICS-CERT). Commissioning or certification of the data or systems that have been procured should include checks by airport staff or consultants that are independent from the vendor that ensure proper cybersecurity countermeasures have been put into place and that all associated airport policies and procedures have been followed. A warranty should be required that ensures the vendor or developer will provide updates and patches to their information or system for a period of time specified by the airport. The airport should consider requiring, as a part of this warranty, the vendor to assess and mitigate any vulnerabilities or impacts of successful attacks against their systems. It should be noted that these types of warranty requirements, especially those extending significantly into the future, create risk for vendors that must be compensated. An adequate balance between the costs and benefits should be considered by airport cybersecurity and risk management personnel (adapted from ICS-CERT). Although these requirements can add time and therefore cost to the procurement process, they will help ensure that the airport’s cybersecurity requirements are adequately addressed as new systems are installed. Although burdensome, this cost is significantly lower than the cost of vendor change orders and, ultimately, the cost of responding to and recovery from a cyberattack due to vulnerabilities by a newly installed system. Software and Information Security Assurance The software and data that airports acquire from consultants, vendors, and others may introduce vulnerabilities that should be addressed before the software or data is installed and used at the airport. In some cases, the data and systems are developed in-house by airport staff. These employees should follow the same procedures required of external providers to ensure the airport that the software and data they provide is secure. Following are guidelines on how they can provide this assurance and the role airport cybersecurity professionals should play in enforcing them. Software Assurance Software assurance is “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner” (Committee on National Security Systems 2010). The objective of software assurance is to ensure that “the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards” (Mercedes and Winograd 2008). To support cybersecurity objectives, software must be ensured to be free of vulnerabilities to the extent possible, not introduce vulnerabilities to other systems, and continue to operate as intended if anticipated attacks occur. These goals can be compromised due to design, development, or deployment mistakes; intentional vulnerabilities introduced by vendors, users, administrators, or others who can gain access; and technology changes that can introduce threats not anticipated by developers (McGraw 2006). Some of the threats that can impact software include command injections, SQL

50 Guidebook on Best Practices for Airport Cybersecurity injections, vulnerable operating system interfaces, buffer overruns, leaks of memory not freed when software is done with them, memory pointer errors, format string attacks, and integer overflow or truncation errors (Software Assurance Marketplace 2014). In addition, web-based software also can be exposed to cross-site scripting, uniform resource locator (URL) redirection, and credential exposure. While there are many threats, the top 25 software vulnerabilities have been ranked by the SANS Institute working in conjunction with the MITRE Corporation (Christey 2011). This list can provide an important reference that can be used as a checklist for software assurance programs. However, the complexities of developing, implementing, and maintaining software with the assurance of not being vulnerable to cybersecurity threats do not need to fall on airport managers or staff. The technical skills and familiarity with the software needed to combat these threats necessitate that developers and installers provide these assurances. These individuals will typically be employed by vendors or third party installers, although in some cases, airport staff may develop custom software in-house as well. The individual(s) responsible for cybersecurity at an airport must require developers and installers of software that is used at the airport, regardless of where they are employed, to perform the following assurances: Build security into the software development life cycle at each phase. This starts with design, as flaws at this stage account for 50% of security problems (McGraw 2006). The languages, third party components, and even the development environment should be adequately secured (MITRE Corporation 2014a). Test software and systems for known vulnerabilities prior to deploying them. There are many tools and processes that can be used to test software for security vulnerabilities; some of these are free (Software Assurance Marketplace 2014). Protect application credentials by not hard coding password and security tokens in code that can be accessed by users or outsiders. Credentials, as well as any data that can be considered sensitive or confidential, should also be encrypted as they are transferred between servers and end-point systems or client devices. These requirements should be enforced by airport policy and incorporated into contracts with vendors and third party installers. Airports may wish to require a written certification of these assurances from vendors and installers. Warranties that ensure software is free of vulnerabilities for a defined period of time may also be desired. These measures will come at a cost that senior managers must consider in relation to the level of protection they desire. The software assurance responsibilities of airport managers and staff do not end with the enforcement of policy on vendors, installers, and in-house developers. The individuals respon- sible for cybersecurity should also perform the following: Install software patches and updates promptly upon their release, ideally by automated means if possible. Report bugs and vulnerabilities that can be attributed to the software to the vendor. Vendor points of contact should be included and maintained as part of the system inventory described earlier. Restrict software installation privileges to IT personnel who are knowledgeable about which software sources can be trusted or not. If airports allow employees to bring their own devices, then policy and procedures that require and enable the owners of these devices to be vigilant in this regard should also be considered. Some of the primary practices for ensuring software security are described above. There are many more resources to help airport cybersecurity professionals, developers, and installers ensure that the software conforms to an airport’s security requirements. Several of these are listed on the DHS website (under Software Assurance Resources).

Developing a Cybersecurity Program 51 Information Assurance As with software, information, or data, can introduce vulnerabilities that should be mini- mized or eliminated. For example, information that is SSI as defined by 49 CFR 1520 but that is not labeled as such increases the likelihood that such information will be leaked to those not authorized to view it—an issue that at least one large airport has experienced. Information, or data, should also be assured to have integrity (i.e., not have been altered), availability to those who need and are authorized to access it, and authenticity with its source known (Information Security Standards 2014). As with software assurance, information assurance should start with defining the requirements that define the integrity, availability, and authenticity expected. These requirements should be documented in information security standards, data clauses of acceptable-use agreements, and non-disclosure statements. These standards or specifications should be enforced by airport policy and reflected in consultant contracts, tenant agreements, and employment conditions. They should cover the following key practices of information assurance, which are related to cybersecurity: Legal requirements, regulations, and agreements must be met. These include laws such as 49 CFR 1520 that protects SSI, the FAA’s requirement for certificated airports to record operational data, and agreements with credit card companies to adhere to PCI standards. Non-disclosure agreements and acceptable-use policies should be established to ensure that data is used by authorized individuals with a legitimate need to know. These individuals must also be informed of the sensitivity of the data they possess and how to handle it. This includes providing the proper level of cyber and physical protection of data whether they are on-site at the airport or off-site in consultant and tenant offices. Label all data to indicate its contents, source, temporality (i.e., for what date ranges the data is valid), and sensitivity level. Transmittal letters should accompany data deliverables that assure that the data meets all applicable airport and legal requirements of that data. Archive original copies of data so they can be recovered in their original form if required. Backup operational data so that normal operations can be resumed quickly and efficiently if data is corrupted as a part of an attack. Airports may also want to consider factors beyond cybersecurity when providing information assurance for data delivered to them as well. These and other precautions may be considered by airports on a case-by-case basis to help protect the usability of data. While hardware, software, and network devices are essential elements of IT infrastructure, it is ultimately the data that is required by end users and must therefore be of the quality they require. Resources Required Effective cybersecurity programs require an appropriate mix of internal and external resources in order to be effective. Internal resources include airport staff. Funding is also required to obtain external resources such as consultants, vendor services, training programs, software, and possibly hardware. This funding may come from airport operating funds and other sources and be incorporated into budgets of capital programs. The level and mix of resources required will vary greatly based on the size of the airport, the propensity of management to use internal staff versus external consultants, existing staff skills available, availability of qualified consultants, and other factors. Using no external resources is There is no minimum threshold of resources or investment that is required to establish and maintain a cyber­ security program.

52 Guidebook on Best Practices for Airport Cybersecurity not an advisable option as some of the skills and capabilities required are not needed 100% of the time and would be expensive for an airport to retain. Furthermore, there are low-cost or, in some cases, free external resources (e.g., ISACs) that can be tapped to maximize the cost-effectiveness of an airport cybersecurity program. Conversely, outsourcing all aspects of a cybersecurity program is not feasible because decisions, priorities, and funding decisions must be made by individuals who have a broad perspective of the airport’s needs and who are ultimately going to be held accountable for a successful attack. Between these two extremes, however, there is a wide range of possibilities. There is no minimum threshold of resources or investment that is required to establish and maintain a cybersecurity program. On one end of the spectrum, an airport can read freely available material to become aware, utilize free training and information sharing resources, install low-cost end-point protection, and remain vigilant. On the other end of the spectrum, an airport can spend significant funds on training, consultant, and other external resources. The senior management of each airport must, with the help of IT and consultant resources if available, determine the appropriate balance between risk mitigation and the opportunity cost of the staff and financial resources they have. To support this decision, this section describes the types of resources that are required and the range of options that exist based on current industry practice. Trends are also noted as the demand and supply of cybersecurity resources is rapidly growing and evolving. Where possible, guidelines are offered to help senior managers decide on the appropriate level of investment in cybersecurity for their airport. Staffing Whether new staff are hired or existing staff are assigned new responsibilities, cybersecurity requires attention from airport managers and staff. Before the level of staff resources required can be determined, it is important to review the key roles that must be fulfilled, determine where they best fit within the organization, and assess the capabilities (i.e., skills, education, experience, and training) and capacity (i.e., availability or more likely the impact of not accomplishing some existing tasks) of available staff. The gap that remains between the capabilities required and the capacity available is a gap that needs to be filled. To do so may require augmenting the capabili- ties and capacity of existing staff with new hires and/or external resources. Cybersecurity Roles There are 12 primary organizational roles that must be fulfilled to support an effective cyber- security program. Note that a role is not the same as a full-time equivalent (FTE). In some organizations, individuals will be assigned multiple cybersecurity roles, perhaps in addition to other airport duties. In other organizations, one or more individuals may fulfill a specific role. The 12 roles are as follows: • Senior management must be aware of and remain informed about the threats their airport faces, the likelihood those threats may impact critical information or systems, and the cost that impact may have on safety, efficiency, revenue, and reputation. This requires awareness training and periodic briefings. It also requires support from IT and facility managers who can provide the details at the appropriate summary level to help senior managers make informed decisions. During budget decision cycles, senior managers should evaluate the organization’s investment in cybersecurity using metrics against alternative investment options. • Chief information officers are often entrusted with the security of an organization’s data and systems. Some CIOs interviewed for this study felt that this responsibility may not be well placed since they also have a responsibility to provide a level of access to data and systems. Each airport must determine the appropriate balance between risk mitigation and the opportunity cost of the resources they have.

Developing a Cybersecurity Program 53 The objectives of providing access and reducing cybersecurity risk are often at odds. They recommend having a separate individual, such as a CISO, be responsible for cybersecurity and report to senior management or whoever within the airport is responsible for organizational risk, legal, or regulatory matters. • Chief information security officer (or cybersecurity manager) is an increasingly common title within organizations including airports. Such individuals should be trained in cyber- security principles and be prepared to carry out or manage the activities that are required. They must remain aware of the range of threats airports face and the options available to counter them. CISOs must identify, acquire, and lead the application of human and financial resources required to provide the level of protection desired by senior management. To accom- plish this, CISOs should be prepared to identify and to the extent possible, quantify risks. They should be prepared to advise Senior Managers on matters of policy and collaborate with managers throughout the organization on the enforcement of that policy. They should be prepared to work with IT managers and staff to design and implement an enterprise approach to implementing countermeasures. CISOs should also establish and maintain relationships with external service providers and agencies that can help the airport periodically assess vulnerabilities, carry out day-to-day cybersecurity activities, and respond should an attack occur (NICE 2014). • Security managers are entrusted with the physical security of the airport. This can encompass access control, monitoring CCTV cameras, and incident response. This function sometimes falls under Operations or other departments. Sometimes, their responsibilities are extended to include airport cybersecurity as well. Other times, physical aspects of security are handled by local law enforcement. Regardless of their responsibility over cybersecurity and their organizational affiliation, security managers should be aware of cybersecurity principles and the importance of controlling the physical access to airport data, systems, and network devices. They must also be aware of the SSI that they manage and how such information should be identified and protected. • Application managers ensure that the business requirements of end users are addressed through software installed on local desktops, on servers, or in the cloud. They help enforce the airport’s software assurance policy and work with vendors as new systems are selected, installed, and configured to ensure cybersecurity requirements are met. • IT infrastructure engineers research, develop, and implement IT infrastructure components such as servers, network switches, and routers. They have input to the configuration of end- point systems. Infrastructure engineers should also record changes to the configuration of the airport’s network. This continuously updated inventory serves an important purpose when assessing the likelihood and impact of an attack on the airport as well as when returning to normal configuration after an incident. • IT operations staff oversee databases, storage devices, and other services that support busi- ness applications, end-point systems, and network infrastructure. Typically, operations staff work a help desk to provide airport staff and, in some cases consultants, with the IT support they require. With regard to cybersecurity, they monitor network logs looking for anomalous activity. They assist end users with troubleshooting and reporting issues that may be related to a cyberattack. Often, IT operations staff will be responsible for patching and upgrading systems and applications, which is an important countermeasure. • Facility managers are often the ones to specify requirements for, oversee the implementation of, and monitor operations and maintenance of ICS at the airport. They should be aware that such systems face cybersecurity threats and should ensure, with the help of others, that effective countermeasures are put in place as these systems are selected, procured, and installed. • Procurement managers ensure that qualified vendors are selected to provide the airport with the products and services required. They ensure that cybersecurity requirements including software and data assurance requirements, technical specifications, data use agreements, and

54 Guidebook on Best Practices for Airport Cybersecurity other cybersecurity measures are included in airport business solicitations and the resulting contracts that are awarded. They must work with IT and facility managers as these documents are developed to ensure that the proper technical requirements are properly reflected. The CISO should be made aware of procurement documents so that the proper requirements can be put into place before they are released. • Human resource managers should be aware of the laws and regulations regarding personal information and should be prepared to protect that information as required. • Trainers are required to promote cybersecurity awareness and conduct or administer training for airport staff, and perhaps consultants, tenants, and other stakeholders. • Users of airport data and systems play an important role in protecting the organization against the many threats that exploit human behavior such as phishing attacks. Users should be periodically trained, remain vigilant to activities that may be related to an attack, and report suspected issues. The Interactive National Cybersecurity Workforce Framework has been included as a library resource for senior managers and IT managers in the multimedia material. It can also be found at http://niccs.us-cert.gov/training/tc/framework. An interactive PDF version can be downloaded from the National Initiative for Cybersecurity Education (NICE) website http://csrc.nist.gov/nice/framework/. Page 146 of the PDF file describes the tasks and KSAs for a CISO. Some of the primary roles involved in supporting an airport cybersecurity program are highlighted in the multimedia material. Different types of users can select the role they play and view lessons, content, and resources that fit their needs. Developing and maintaining a team of staff and consultants who can adequately fulfill the preceding roles can be challenging. Sometimes unqualified individuals may be offered a posi- tion and not be aware of the expectations they should fulfill or of training resources that exist. The following resource can help airport senior managers, human resource managers, CIOs, and procurement managers identify and train individuals qualified to fulfill the preceding roles. The Interactive National Cybersecurity Workforce Framework provides lists of tasks and knowledge, skills, and abilities (KSAs) required of cybersecurity professionals, including CISOs. These have been summarized in the preceding list, but airport managers looking to hire or train cybersecurity staff members can consult this interactive document to ensure that they develop an adequately prepared cybersecurity workforce (NICE 2014). Staffing Levels Required The previously described roles each bear some of the responsibility for protecting an airport against cybersecurity threats. The activities that must be carried out to fulfill that responsibility include training, monitoring logs, procuring services, supporting user needs, and following procedures. Should a successful attack occur, response and recovery activities are also required. The time required to fulfill those responsibilities can vary widely based on the role(s) fulfilled

Developing a Cybersecurity Program 55 by each individual, the size of the airport, and the degree of risk protection senior management decides to implement. To evaluate the staffing needs of a cybersecurity program it is prudent to assume that absent of any cybersecurity responsibilities, airport staff members are fully engaged and productive. In other words, no staff members have extra time on their hands to complete cybersecurity activities without there being some impact on the airport. This assumption establishes a baseline from which the staffing needs of a cybersecurity program can be assessed. Table 2 summarizes the range of staffing levels required to support an effective cybersecurity program at an airport. The figures are expressed as FTEs, which means a fully employed individual less paid vacation, sick, and other paid-but-not-work-related time. Typically, an FTE equates to 1,700–2,000 labor hours per year depending on the working hours, benefits, and paid programs offered. Using this approach, the lower end of the staffing requirement for a cybersecurity program is 0.3 FTE. This is spread across multiple roles and is not enough to justify a new hire. At the other end of the range, airports may require as many as 2.65 FTEs to support a cybersecurity program, thereby justifying two or three new positions. It should be noted that for several roles there is a minimal impact, which is too small to factor into such staff planning decisions and should be considered a cost of doing business. As indicated in Table 2, several of the roles associated with cybersecurity can be outsourced. In fact, just over half [16 of 30 (53%)] of the organizations surveyed responded that they out- source some of their cybersecurity roles. A greater number [21 of 29 (72%) respondents to the question] indicated outsourcing vulnerability assessments, which makes sense because of the highly specialized skills that are required and because this activity is not continuously required. Such outsourcing effectively lowers the investment of staff time required. Not all roles however are prone to outsourcing. Senior managers, facility managers, procurement managers, human resource managers, and users all play a role in cybersecurity, but they are fundamentally a part of an airport’s staff and cannot simply be outsourced to support the needs of a cybersecurity program. While this section is not intended to present a rigorous staff planning or justification analysis, it will hopefully provide some guidance for planning the proper cybersecurity resources. It is clear that cybersecurity cannot be effectively applied without staff participation. It is also clear that new departments and legions of new hires are not required, especially given the growing potential to rely on outsource resources to support many of an airport’s cybersecurity needs. Source: Interviews with airport CIOs and IT managers. Table 2. Staffing requirements for a cybersecurity program.

56 Guidebook on Best Practices for Airport Cybersecurity Organizational Structure of Cybersecurity Cybersecurity must be considered wherever digital data and systems are used, but it should be managed centrally with focused responsibility and authority. Where cybersecurity management resides within an airport’s organizational structure varies based on the existing organizational structure, the current placement of skilled staff members, management philosophy, and other factors. Airports indicated that the individual(s) responsible for cybersecurity within their organization report to a variety of managers, as shown in Figure 6. Those that responded “other” indicated the positions of administrative services director, chief financial officer or budget director, and vice president of commercial management. The responses summarized in Figure 6 indicate the variety of places that cybersecurity can be placed within an organization. It also indicates the split of cybersecurity falling within the IT function versus reporting directly to senior management. This option was highlighted by many respondents during interviews and follow-up conversations. Because cybersecurity is largely, although not entirely, focused on digital data and systems, it requires skills sets that are typically found in IT functions within airports. That said, several respondents felt that cybersecurity is about risk management and should therefore report to the executive(s) responsible for organi- zational risk. The titles that organizations give to the individuals they entrust with managing cybersecurity risk also indicate the variety of options that exist but are generally split between IT, senior management, and security. Titles of the individuals responsible for cybersecurity include chief information officer, chief security officer, IT manager (responsible for cybersecurity), and others. Increasingly organizations are establishing specific cybersecurity positions with the title of chief information security officer (Strahler 2014). Funding Funding is an important resource that is required to implement and sustain an effective cybersecurity program. It is required to compensate staff members and to procure products and Figure 6. To whom does cybersecurity report? Source: 40 of 51 organizations that responded to the survey or interviews conducted for this project.

Developing a Cybersecurity Program 57 services from the necessary cybersecurity service providers. As with human resources, the level that is required must be estimated and sources must be found to fill any gaps to what is avail- able. The costs and benefits of cybersecurity must also be considered to determine the level and sources of funding required. Funding Levels Unfortunately, cybersecurity budgets have traditionally been a relatively low portion of an orga- nization’s overall IT budget (based on survey results from this project as well as NCHRP 20-59(48), “Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents”). Airports also report that the IT budget is typically less than 10% of their overall operating budget [based on 13 of 18 (72%) respondents who answered the question]. Even with the largest airports’ operating budgets in the hundreds of millions (City of Chicago 2014; Greater Orlando Aviation Authority 2014; Dallas/Ft. Worth International Airport 2014; Minneapolis–St. Paul Metropolitan Airports Commission 2014), cybersecurity expenditures can quickly be diminished to relatively small levels. Airport cybersecurity budgets are however on the rise [7 of 24 (29%) respondents indicated their budgets would rise 5% or more and 12 of 24 (50%) respondents indicated their budgets would rise 1–5%]. These increases are driven largely by the desire to prevent service interruptions, property damage, data loss, or degraded reputation. Estimating the specific amount of funding required is difficult because each airport’s budget priorities and propensity to spend on cybersecurity protection will be different. Considering the range of staff FTEs that may be required, an annual cost of $50–500 million may be required to support staff time spent on cybersecurity activities. A rudimentary top-down estimate using the percentages cited previously from the project survey responses suggests airports spend 0.9% of their operating budget on cybersecurity. Based on median airport operating expenses, this may equate to as much as 10 to 12 cents per enplaned passenger. Caution: These rules of thumb are not based on a comprehensive statistical or cost analysis. Funding Sources Regardless of the level required, funding to support increased cybersecurity activities must come from somewhere. Following are the possible sources of funding that should be considered to support an airport’s cybersecurity program: • Operating expenses budget is likely the most common source of the funds airports use to support cybersecurity activities. Cybersecurity often falls under the IT budget of an airport and this budget is typically considered an operating cost. • Capital investments are often used to fund large infrastructure or facility improvements. The cost of implementing countermeasures to protect the data and systems that are imple- mented as a part of these programs should arguably be incorporated into the cost of these programs. • Grants from the DHS and other federal agencies to support cybersecurity activities are on the rise. Consistent with the Obama Administration’s emphasis on cybersecurity, cybersecurity budgets of many federal agencies have been on the rise (Corrin 2013). Using federal budget appropriations, the DHS “will fund more cybersecurity research and help . . . local governments bolster their online defenses” (Sullivan 2013). Some of these funds may be indirectly available to support cybersecurity at airports. The Catalog of Federal Domestic Assistance (CFDA), which can be found at the CFDA website (www.cfda.gov/), lists available grants, several of which are intended to support cybersecurity research and training. State and local agencies are sometimes on the list of eligible applicants for these grants. One such cooperative program from DHS

58 Guidebook on Best Practices for Airport Cybersecurity provides funding that supports the MS-ISAC. Airports can become members in the MS-ISAC and can receive some cybersecurity services free of charge as a result. MS-ISAC also offers extended services for an additional fee. Regardless of the amount of funding required or the sources used to provide that funding, it is incumbent on each airport’s management to determine the proper level of cybersecurity spending based on the funds available, alternative uses of those funds, and their desire to protect their airport data and systems from cyberattack. This decision should be evaluated on an annual basis as budgets are determined with the assistance of IT and facility managers who are making investments in new or existing systems. It is also incumbent upon all involved in supporting an airport’s cybersecurity program to make the most use of free or low-cost resources that can support their cybersecurity objectives. Costs Versus Benefits of a Cybersecurity Program A cybersecurity program does not need to be costly or complex or require resources beyond an airport’s means. Any level of protection is better than no protection. An airport’s senior man- agement must decide the relative costs and benefits of a cybersecurity program and empower their staff to implement the level of countermeasures they feel are warranted. IT staff and con- sultants should work with their senior managers to provide them with the information they need to make an informed decision. Because many countermeasures are free, low cost, or perhaps already in place, an airport can establish a basic cybersecurity program without a large initial investment. This document is intended to provide the guidance that airport managers need to be proactive in a way that follows best industry practices but provides an acceptable cost–benefit return based on the airport’s other needs and available resources. Many feel that senior managers should not expect a cybersecurity program to provide a positive return on investment. Cybersecurity is an increasing cost of doing business and of utilizing modern technology. It does not offer revenue, improve efficiencies, or allow staff to accomplish tasks they otherwise could not do. If return on investment must be measured to support corporate decision making, then benefits that may be measured include the avoidance of costs associated with a successful attack, and the associated operational downtime, fines, and recovery costs that would ensue. Such information is difficult to quantify and must be weighted by the likelihood of it occurring, which is even more challenging to measure. For these reasons, quantified cost– benefit analyses or return-on-investment calculations should be cautiously interpreted. Airports that require such analyses in order to make investment decisions should consider at a conceptual level the cost–benefit ratio of performing such an analysis. In this regard, cybersecurity is similar to physical security. It is a necessity, in some cases a legal requirement, and ultimately a prerequisite to operating an airport. External Support There are numerous external resources that can support an airport’s cybersecurity program. There are a growing number and variety of vendors, consultants, and service providers that offer products and services. Many of these providers can augment or fulfill several of the roles required by an effective cybersecurity program. In addition to these paid service providers, there are a number of agencies that can provide direct or indirect assistance for free. Some of these can help an airport establish a cybersecurity program; some can provide ongoing assistance to sustain a cost-effective cybersecurity program; and others can help if a successful attack occurs.

Developing a Cybersecurity Program 59 Following is a list of such external agencies, listed in descending order of the number of survey respondents that mentioned beneficial relationships with such agencies: The Federal Bureau of Investigation has field agents assigned to airports. Cybersecurity is a large and growing part of the FBI’s mission, and these field agents can provide airports with information on new threats as well as assist if a successful attack does occur. It is prudent to identify the airport’s FBI field agent(s) and inform them about the airport’s makeup, objectives, and actions related to cybersecurity. This can best be accomplished through continued contact between the airport and the local FBI office. The Transportation Security Administration has passenger screening and other physical security responsibilities at most airports. TSA is often the most visible part of the DHS at an airport. Since many cyberattacks are carried out by attackers on the airport premises, TSA can be a vital resource in identifying and reducing the likelihood of an attack. Department of Homeland Security has many offices that are focused on cybersecurity, although they are not necessarily located at the airport. DHS can provide airports with information about threats and may direct the airport to valuable resources in the event of a successful attack. Local law enforcement should be aware of an airport’s cybersecurity activities and may be able to provide assistance in the case of a successful attack. A growing number of law enforcement agencies are developing cybersecurity units with personnel that are specifically trained to help organizations and individuals in their jurisdictions. Regardless of the assistance they can offer, cyberattacks are a crime and should be reported to law enforcement officials. The Federal Aviation Administration—whether on-site, at a regional office, or at headquarters— may be able to provide assistance in response and recovery depending on the nature of an attack. The Central Intelligence Agency (CIA), like the FBI, is increasingly focused on cybercrime and may provide information on new threats that airports may face. It is prudent to not wait for an attack to occur to reach out to these agencies. Most airports [20 of 21 (95%) who responded to the question] have already established relationships with such agencies. By establishing relationships and allowing them to become familiar with an airport’s cybersecurity objectives, staff, and activities, external agencies will be better able to provide effec- tive assistance should an attack occur. The best way to achieve this is to have periodic meetings to which these individuals are invited. The contacts and relationships that evolve from such interaction not only will improve the cost-effectiveness of a cybersecurity program as it is get- ting started or operating normally but also can save vital time in the response and recovery to a successful attack. Cybersecurity Training Training is an important part of an airport’s cybersecurity program. Many of the most com- mon threats can be averted by providing training that increases awareness and encourages employees and consultants to constantly be vigilant. Training is also less expensive than many other countermeasures and far less expensive than recovering from a successful attack. Training is specifically called out in the NIST “Framework for Improving Critical Infrastructure Cyber- security” (NIST 2014) and has been demonstrated to be a cost-effective approach to achieve an initial base level of cybersecurity protection. A user-focused cybersecurity education by a dedicated cybersecurity staff for all airport employees to make them aware of potential threats is critical to mitigating vulnerabilities, concludes a recent paper on Cyber Security for Airports (Gopalakrishnan et al. 2013). The majority of organizations surveyed [20 of 27 (74%) that responded to the question] indicated they do have a cybersecurity training or awareness program for employees. Training

60 Guidebook on Best Practices for Airport Cybersecurity topped the list for cybersecurity best practices used or planned to be used in the next 12 months: cybersecurity training for staff (83% of respondents, 24/29). Because most of this training is being conducted by internal resources (90% of respondents, 26/29), the type, quality, and breadth of the training is not likely to be comparable from site to site. Despite the promise of planned training, based on the survey results, the following constraints limit the participation in, and the effectiveness of, a current or planned cybersecurity training program: • Insufficient information about available training [3 of 7 (43%) that responded]: Lack of available training information should not be a barrier as casual search for cybersecurity train- ing results in more available training than most organizations can synthesize. This may over- whelm a staffer that is already busy fighting day-to-day business issues at an airport operation. The multimedia segment of this report provides a first level of training and offers links to additional resources, some of them available at no or low cost. • Insufficient budget for staff overtime to take training or training contractors [2 of 7 (29%) that responded]: A current approach to training is to provide training materials that are self- paced, online, and modular to allow a staff member to receive training in segments rather than providing an overtime budget for training. Just as mandatory communications meetings or organizational meetings occur within a department or group, training needs to be sanctioned by senior management as an integral component of an employee’s work responsibilities. Also, for some positions, certifications (e.g., PCI DSS) are required as a minimum upon hiring and then annual re-certification is necessary. Budget for basic and advanced training does require the business to prioritize the risk/benefit and this is accomplished in the assessment phase of the NIST Framework. • Lack of management support [2 of 7 (29%) that responded]: Increased visibility at the national level for protection of critical infrastructure (including airports) against cyber threats is precisely targeted at reaching the management and budgeting authorities. Studies do demonstrate that cyberattacks are now focusing on senior management because they might be more lax when it comes to IT mandates and requirements due to their busy schedules. For-profit companies are now seeing the pressure at the board level, which will ultimately motivate the management. • Confusing training requirements and lack of internal expertise to conduct training: Almost two-thirds of survey respondents indicated their spending on training will increase or stay the same, so the awareness of the need appears to have made an impact on future investment. However airport personnel responded that the variety of training programs and sometimes conflicting standards present a barrier to decide what type of training should be implemented with their limited budget. Types of training range from cybersecurity awareness designed for the entire organization to more specialized training for staff responsible for networks, development of internal applications, or financial and personnel information. A best practice is to provide awareness training to every new hire as well as an annual refresher course covering the changing threat landscape and recent attempts or breaches at other airports or in other transportation-related industries. Because of its foundational value, awareness training is the focus of the next section. Specific training for the hardware and software configuration of the individual airport should be part of the professional development and protection phase of the overall cybersecurity plan. Awareness Training At the national level, it has become clear that awareness of our cybersecurity threats and countermeasures is essential to creating an overall level of protection. Accordingly, NIST’s Framework includes Awareness and Training as an important countermeasure. The Frame- work recommends that “the organization’s personnel and partners are provided cybersecurity “People cannot value security without first understanding how much is at risk.” –White House (2009)

Developing a Cybersecurity Program 61 awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.” While awareness is important, airports that responded to this project’s survey indicated that for the most part senior management is aware of cybersecurity but does not consider it a primary concern [4 of 9 (44%) that responded to this question] or that senior management is made aware when an issue occurs [3 of 9 (44%) that responded to this question]. For many, cybersecurity is not a priority until an attack. As illustrated earlier (see Chapter 3), cyberattacks on airports do occur and some have been successful. Increasing cybersecurity awareness among senior management, airport staff, and tenants and consultants is an important foundation for other elements of a best practices plan. Fortunately, it is a relatively easy one to implement using this guidebook, the associated multimedia material, and the additional sources cited. Following are some of the steps that airport managers and staff who are responsible for cybersecurity can take to increase awareness: • Require awareness training for all new hires • Provide mandatory annual updates for all employees • Initiate a method for assessment preferably pre- and post-awareness training • Offer online availability of awareness information for referral • Disseminate alert of any current, active, or suspected threats to all users • Implement a reporting program for employees to notify the appropriate security department of phishing, spear phishing, suspected malware, anomalous behavior, etc. • Provide a clear method for reinforcing behavior change by creating simulated attacks (for example, phishing emails) with immediate awareness training/feedback • Create consistency through assessment of the progress of the organization toward awareness goals and publish the progress results to users The multimedia material can be used to help increase the awareness of cybersecurity best practices within airport organizations. Specialized Training Personnel tasked with the management or control of specific systems (e.g., network infra- structure, financial data, PII, ICS) require specialized training unique to the configuration of the individual airport. Regulations govern only a small fraction of these. Breaches of PII are covered by laws in 47 states although no comprehensive federal legislation is in place. Legislation is being proposed that would extend regulations that currently only apply to government agencies or contractors to the government. As an example of a practice that may apply in the future to airports receiving federal funding, the U.S. Department of Transportation and FAA are required annually to audit the state of the information security program as required by the Federal Information Security Management Act of 2002. The most recent report and audit indicated improvement in 2013; however, significant security issues and vulnerabilities were uncovered according to the final report of the FY 2013 audit. Training was among those mentioned. The audit report specific to training states, “The Department successfully provided security awareness training to over 90% of its employees but had not made sufficient progress in other critical areas. In particular, programs are still not adequate to ensure that (1) all contractors

62 Guidebook on Best Practices for Airport Cybersecurity receive required security training and (2) personnel with significant security responsibilities receive sufficient specialized training” (FISMA 2013). Airports, particularly small and midsized, may be vulnerable to consultants working on systems with insufficient specialized security training. Facilities project managers may not recognize the need for the involvement of IT and security personnel. Training Resources National Cyber Awareness System (http://www.us-cert.gov/ncas/) offers an array of infor- mation for employees with varied technical expertise—all but the most technical and trained cybersecurity personnel. This material can supplement an awareness program and provide updates on the most current threats. Those with more technical interest (specifically IT staff responsible for configuring or monitoring network systems) can read or subscribe to Alerts, Current Activity, or Bulletins. These products can also be summarized and disseminated as part of the communication to less technically astute users to maintain a current secure posture. End users with less technical expertise who are looking for more general-interest pieces can read the Tips; alternatively, these Tips can be incorporated as appropriate into the ongoing airport awareness program. As a proactive part of an airport best practice awareness program, a staff member can be tasked with subscribing to, receiving, and disseminating the daily and weekly information as appropriate to the different members of the community, and maintaining a resource on the specialized cyber training intranet. National Cybersecurity Workforce Framework (http://csrc.nist.gov/nice/framework/) provides tools to identify the tasks and KSAs required of a qualified cybersecurity workforce and provides a current listing of training options that are available (NICE 2014). Several universities including Texas A&M Engineering Extension Service (https://teexweb. tamu.edu/) offer free or inexpensive cybersecurity training. PCI-Essentials (https://www.securityinnovation.com/training/cardholder-data-security/ pci-essentials-awareness-training.html) is a modestly priced online course offered by the PCI’s Security Standards Council. This course helps organizations attain a level of compliance with PCI DSS that credit card companies require. Sustaining a Cybersecurity Program Like all assets (tangible or not) a cybersecurity program must be maintained to protect the investment that has been made and, ultimately, to be effective in protecting the airport’s data and systems. Ongoing training, monitoring, funding, and management support are required to sustain an active and robust program. This is particularly challenging when the threats, as well as the measures to counter those threats, are evolving so rapidly. The following ongoing activities are recommended to sustain an effective airport cybersecurity program: Inventory updates are required to reflect the current configuration of an airport’s systems, information resources, and network infrastructure. This inventory should not only identify the data, systems, and devices but also track information that is critical to protecting these assets such as users, vendor, criticality of use, and other factors. Keeping this inventory up to date on a continuous basis not only ensures the details will be available when needed, but also avoids the repeated expenses of consultants being hired to perform comprehensive updates as part of an IT master plan. Threat intelligence must be kept up to date so that the likelihood of a successful attack against the information, systems, and devices inventoried is as current as possible. ISACs, relationships

Developing a Cybersecurity Program 63 with other agencies, dialogue with peer airports, and support from service providers are all ways to maintain a high level of threat intelligence. Program budgets should be periodically updated to ensure that staff and funding resources are available to implement the countermeasures required to protect the airport against cur- rent threats. Such budget decisions require that vulnerability assessments be updated to reflect the current landscape of threats and available countermeasures. Budget funding for cyberse- curity may also change as awareness grows and attacks are experienced. Software upgrades and patches, particularly those that address a new or newly discovered vulnerability, should be applied as they are made available by vendors. Information on which versions of software and which patches have been applied should be recorded in the airport’s systems inventory. Continuous monitoring of network activity, application, system, social media, and email logs is an ongoing necessity of a cybersecurity program. Airports that cannot or choose not to retain qualified staff to handle this activity can rely on service providers, as well as increasingly sophisticated software and hardware, which can alleviate the burden, albeit at a cost. Vendor selection criteria should ensure that airport cybersecurity requirements are met as new information services and systems are procured. This will require constant interaction with airport managers looking to procure new information services and products, as well as procurement managers who are responsible for including technical specifications as well as airport cybersecurity policies and procedures into solicitation and contract documents. Periodic confirmation that vendors on multi-year contracts retain the necessary skills, equipment, and procedures should be considered. Training needs to be an ongoing process not only to refresh staff, consultant, and tenant understanding of their roles and responsibilities but also to keep them up to date on the latest threat information. Periodic training is also a requirement of compliance with PCI DSS and should be determined if required for other regulatory or legal requirements. Risks that can limit the success of a cybersecurity program should be periodically considered. New risks should be identified and the effectiveness of mitigation strategies will need to be evaluated. These activities should be carried out by the individuals who fulfill the variety of roles related to cybersecurity at an airport. These individuals should ensure that the necessary cybersecurity activities are executed in an efficient and effective manner. Risk of Implementing a Cybersecurity Program Few activities offer positive outcomes without some form of risk that must be mitigated to ensure optimal results. Cybersecurity programs are no exception. They introduce risks that need to be identified along with their potential impact, likelihood of occurrence, and steps that can be taken to mitigate them. Following is a list of potential program risks that a CISO or the individual(s) entrusted with leading an airport’s cybersecurity program must manage for that program to be effective: • A false sense of security may arise among airport managers and staff once investments in cybersecurity have been made. The result can be reduced vigilance in carrying out counter- measures, observing anomalous activity, and reporting suspected attacks. Periodic training and reminders that highlight new threats and the importance of continued support can reduce the likelihood of this risk to a cybersecurity program’s effectiveness. • Increased visibility can result from greater organizational emphasis on cybersecurity. This may increase the awareness and interest of nefarious actors, from outside or inside an organization. To minimize this risk, information on cybersecurity vulnerabilities and countermeasures

64 Guidebook on Best Practices for Airport Cybersecurity should be treated as SSI and be made available to only those who need to know and who have agreed to handle this information in a specific manner. • Overreaction to threat may result from increased awareness of cybersecurity threats; for example, threats highlighted in the media may create a sense of panic or at least overreaction that may overly influence decisions to invest in data and systems. Ultimately, the objective of technology is to serve a variety of needs. The use of technology should be protected against cyber threats but not in an overly limiting manner. To address this, vulnerabilities should be assessed and prioritized on an ongoing basis by informed experts from within the airport or external service providers. • High turnover rates may occur after airport cybersecurity staff members are trained and gain valuable experience at the airport. The rapidly growing demand for cybersecurity professionals and the current shortage of qualified human resources may lead to a high turnover rate among airport cybersecurity staff. Cybersecurity programs need to mitigate this by managing work- loads and creatively attracting and retaining top talent. A balanced approach includes flexible work hours, competitive compensation packages, and constantly challenging qualified people with a variety of tasks. • Poor return on investments in vendor products may result if the products and services being offered are not thoroughly evaluated. Whether building a new program or maintaining an existing program, airport managers are being presented with a growing range of emerging cybersecurity products and services. Aggressive sales and marketing campaigns fueled by grow- ing market demand, often make it appear that these new products and services are essential. To mitigate this risk, those involved in procuring cybersecurity products and services should carefully evaluate the choices, seek testimonials and reviews from peer organizations, and carefully consider the costs and benefits of each solution. • A reluctance to spend money on cybersecurity may arise, especially during tight budgetary times, after the initial investment in a cybersecurity program is made. Because the impact and effectiveness of a cybersecurity program is difficult and time consuming to quantify, cyber- security programs may become seen as an unnecessary expense. The irony of avoiding successful attacks is that senior management and others may perceive the threat level to be lower than it really is because they are experiencing the benefit of the past investments that have been made and should therefore be sustained. Mitigating this risk requires information and metrics of the threat levels that exist and the criticality of the data and systems that could be affected at the airport if a successful attack occurs. • Information overload is increasingly likely as airport managers subscribe to and pay more attention to the growing information that is available on cyber threats. In many situations the information that is available becomes so pervasive that managers do not have time to review the portions that are relevant to their airport. To overcome this, specific individuals should be tasked with reviewing and interpreting the information that is received. They can then forward or highlight the relevant pieces to the appropriate parties. Care should also be taken to subscribe only to the resources that are most likely to provide relevant information. The individuals entrusted with cybersecurity at an airport must identify these and other risks the programs they manage may face. They should develop, implement, and periodically reevaluate the effectiveness of the mitigation strategies they develop to reduce the likelihood and the impact of these risks.