Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
70 The following primary conclusions of this research are focused on steps airports can take to protect themselves against cyber threats. Additional research to help airports sustain this level of protection into the future is also recommended. Conclusions The growing threat of cyberattack on airport computers, networks, control systems, and critical infrastructure is a clear trend that is well publicized in the media, trade forums, and legislation. This trend is also substantiated in the research that has been conducted for this project. Cyber- attacks are increasing in number and sophistication. The result has been a loss of confidential and sensitive information, costly disruption to operations, adverse impacts to reputation, and in some cases financial loss and equipment failure. Fortunately, the number and sophistication of countermeasures to combat the increased threat is also growing. Federal, state, and local government agencies are passing legislation and offering resources to help. Non-governmental and non-profit organizations are establishing forums for information exchange. For-profit companies and individual consultants are also improving the services, software, and hardware they offer to combat the threats that exist. No airport is immune to attack, and many can be better prepared. Implementing cybersecurity countermeasures is not an option; it is a requirement of safe and efficient operation. Following are some of the primary countermeasures that all airport managers and staff should consider: Become and stay aware of the threats that can impact critical data and systems by maintaining regular communication with peers and related agencies, participating in ISACs, and engaging (if the means exist) cybersecurity professionals. Establish and enforce policies for acceptable use, SSI, information privacy, software and data assurance, training, and communications. Periodically train managers, staff, consultants, and tenants on their roles to protect data and system credentials, be wary of social engineering tactics, adequately protect the devices they control, and report suspicious activity and policy infractions. Maintain an inventory of data, systems, network devices, and users that may be affected by a cyberattack. Identify vulnerabilities where these assets are not adequately protected and prioritize them based on the impact a successful attack may have. Implement countermeasures to achieve the level of protection that is desired and affordable. Assign CISO responsibilities to a qualified staff member, new hire, or consultant. Monitor computer and human behavior through manual and automated means. Communicate anomalous activity and successful attacks to the CISO, IT staff, senior manage- ment, affected stakeholders, other agencies, and law enforcement personnel. Conclusions and Suggested Research C H A P T E R 7
Conclusions and Suggested Research 71 Be prepared to isolate affected systems, remove them, recover from attacks, and learn from them. Recognize that even if all of the foregoing measures are implemented, the airport will still not be perfectly protected. Remain vigilant and continuously improve the level of protection to the extent possible given the resources that are available. To implement these and other countermeasures in an effective manner, many airports are establishing cybersecurity programs led by a CISO and supported by senior management. Such an approach formalizes the process and establishes a centralized resource. Cybersecurity is not out of reach for any airport. Whether the smallest general aviation or the largest hub airport, the challenge is to achieve a level of protection that provides those respon- sible for safety and operational efficiency with a desired level of comfort within the limits of available staff and financial resources. While there are some laws and regulations that must be met, there are a wide variety of options based on the risk propensity, exposure, and resources available. Senior managers cannot, however, decide on the desired level of protection without input from technical and operational staff who understand the vulnerabilities and potential impacts of an attack. CISOs cannot implement the desired protection without this guidance; allocated resources; and the support of staff, consultants, and tenants. Protecting an airport from the threat of cyberattack is a shared responsibility and not one handled exclusively in the IT equipment room. Airports need not pursue cybersecurity protection alone. There are a growing number of agencies, organizations, companies, and forums that can help. Some are emerging to specifically help airports and other aviation organizations. Following are some of the resources airports should tap in pursuit of a cost-effective cybersecurity program: FBI agents are assigned to each airport and can be a conduit to the cybersecurity resources of their agency. DHS provides funding that allows the MS-ISAC to provide member airports with training, material, and other resources as well as assistance should an attack occur. MS-ISAC also offers network monitoring and other specialized services for a fee. Training resources that are free or inexpensive but effective are increasingly available. Many of these are available online. Some that airports may find useful are listed in the cybersecurity training resources section of Chapter 5. SANS Institute (http://www.sans.org/reading-room/) offers an online reading room that is continuously updated with helpful documents. InfraGard (www.infragard.org) is a partnership between the FBI and the private sector that is dedicated to sharing information on hostile acts against the United States, including cyber- security attacks. CSET is a CD-based software tool that helps organizations evaluate the cybersecurity posture of their systems and network. It was developed by DHS in conjunction with the ICS-CERT and NIST. It can be obtained free of charge from ICS-CERT (ics-cert.us-cert.gov/ Downloading-and-Installing-CSET). The guidance provided in this document, along with the multimedia materials offered and the growing number of industry resources available, should allow airports to determine, implement, and sustain a prudent level of cybersecurity protection. Suggested Research The research conducted during this project has identified best practices and steps that air- ports can take to protect themselves against cyberattack. The environment is however rapidly changing in terms of the threats that exist, data and systems that must be protected, and the
72 Guidebook on Best Practices for Airport Cybersecurity countermeasures available to help. This suggests that additional, and perhaps in some cases, ongoing research is required. Following are some suggestions identified during the course of this research: ⢠Threat analysis requires ongoing research into the actors, vectors, and types of threats that can affect airports. This analysis should include threat trend analysis, actor profiling and attribution, and system vulnerability testing. There are many agencies, organizations, and companies that are dedicated to this activity, but few if any are focused on airports. Support for an ongoing research initiative that pools threat information relevant to airports is therefore recommended. These need not, but perhaps would best, be established as a part of other broader research efforts. ⢠Technical standards and specifications for protecting ICS could be developed to help not only airports, but also installers and manufacturers of these systems, attain a common baseline of protection. ⢠Training for facility managers and ICS installers on how to protect their systems against cyber threat will help ensure those systems are properly protected. This training must include cybersecurity awareness and an overview of the airportâs approach to protecting critical systems. In addition, the training should provide details on how to adhere to the specifications described previously. These and perhaps other research efforts will help airport managers and staff remain vigilant despite the dynamic nature of cybersecurity.
