The National Academies Press

Currently Skimming:

Pages 39-64

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 39... ... 39 Chapter 4 covered how to identify cyber threats, assess their likelihood and impact, and implement countermeasures that provide protection. This chapter discusses how these activities can be supported and sustained by a comprehensive cybersecurity program. Read the entire page →
From page 40... ... 40 Guidebook on Best Practices for Airport Cybersecurity the daily activities of these individuals as well as all stakeholders. Characteristics of governance include the following (Bodeau et al. Read the entire page →
From page 41... ... Developing a Cybersecurity Program 41 While the foregoing laws and regulations are pertinent to airports, there are a number of additional requirements placed on federal agencies. These are listed below as a reference. Read the entire page →
From page 42... ... 42 Guidebook on Best Practices for Airport Cybersecurity professionals suggest that the following standards and guidelines are best practices and should be considered as a part of a prudent airport cybersecurity program. Framework for Improving Critical Infrastructure Cybersecurity was developed by the NIST in response to Executive Order 13636, which called for the creation of a cybersecurity framework to protect our nation's critical infrastructure. Read the entire page →
From page 43... ... Developing a Cybersecurity Program 43 Despite the relevance of these standards, some respondents [4 of 24 (12%) who responded to the question] Read the entire page →
From page 44... ... 44 Guidebook on Best Practices for Airport Cybersecurity tend to be less compliant. This problem continues to grow as evidenced in the growing amount of credit card fraud losses as summarized in Figure 5 (HSN Consultants, Inc. Read the entire page →
From page 45... ... Developing a Cybersecurity Program 45 effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. Restrict physical access to vital data and systems. Read the entire page →
From page 46... ... 46 Guidebook on Best Practices for Airport Cybersecurity airport provides the best risk posture possible. PCI training can be offered to airport personnel, tenants, and consultants. Read the entire page →
From page 47... ... Developing a Cybersecurity Program 47 policies but will also provide some assurance to all employees that their private information is handled in a compliant and conscientious manner. Recommended policies for airports to consider to support cybersecurity best practices are provided for both IT managers and senior managers in the multimedia material. Read the entire page →
From page 48... ... 48 Guidebook on Best Practices for Airport Cybersecurity possible into the procurement process so that qualified service providers responding to the airport's solicitations are fully aware of the requirements they must meet. Simply selecting a qualified provider is not enough. Read the entire page →
From page 49... ... Developing a Cybersecurity Program 49 code and/or services have been disabled as a part of their configuration management process (adapted from ICS-CERT) Read the entire page →
From page 50... ... 50 Guidebook on Best Practices for Airport Cybersecurity injections, vulnerable operating system interfaces, buffer overruns, leaks of memory not freed when software is done with them, memory pointer errors, format string attacks, and integer overflow or truncation errors (Software Assurance Marketplace 2014) Read the entire page →
From page 51... ... Developing a Cybersecurity Program 51 Information Assurance As with software, information, or data, can introduce vulnerabilities that should be minimized or eliminated. For example, information that is SSI as defined by 49 CFR 1520 but that is not labeled as such increases the likelihood that such information will be leaked to those not authorized to view it -- an issue that at least one large airport has experienced. Read the entire page →
From page 52... ... 52 Guidebook on Best Practices for Airport Cybersecurity not an advisable option as some of the skills and capabilities required are not needed 100% of the time and would be expensive for an airport to retain. Furthermore, there are low-cost or, in some cases, free external resources (e.g., ISACs) Read the entire page →
From page 53... ... Developing a Cybersecurity Program 53 The objectives of providing access and reducing cybersecurity risk are often at odds. They recommend having a separate individual, such as a CISO, be responsible for cybersecurity and report to senior management or whoever within the airport is responsible for organizational risk, legal, or regulatory matters. Read the entire page →
From page 54... ... 54 Guidebook on Best Practices for Airport Cybersecurity other cybersecurity measures are included in airport business solicitations and the resulting contracts that are awarded. They must work with IT and facility managers as these documents are developed to ensure that the proper technical requirements are properly reflected. Read the entire page →
From page 55... ... Developing a Cybersecurity Program 55 by each individual, the size of the airport, and the degree of risk protection senior management decides to implement. To evaluate the staffing needs of a cybersecurity program it is prudent to assume that absent of any cybersecurity responsibilities, airport staff members are fully engaged and productive. Read the entire page →
From page 56... ... 56 Guidebook on Best Practices for Airport Cybersecurity Organizational Structure of Cybersecurity Cybersecurity must be considered wherever digital data and systems are used, but it should be managed centrally with focused responsibility and authority. Where cybersecurity management resides within an airport's organizational structure varies based on the existing organizational structure, the current placement of skilled staff members, management philosophy, and other factors. Read the entire page →
From page 57... ... Developing a Cybersecurity Program 57 services from the necessary cybersecurity service providers. As with human resources, the level that is required must be estimated and sources must be found to fill any gaps to what is available. Read the entire page →
From page 58... ... 58 Guidebook on Best Practices for Airport Cybersecurity provides funding that supports the MS-ISAC. Airports can become members in the MS-ISAC and can receive some cybersecurity services free of charge as a result. Read the entire page →
From page 59... ... Developing a Cybersecurity Program 59 Following is a list of such external agencies, listed in descending order of the number of survey respondents that mentioned beneficial relationships with such agencies: The Federal Bureau of Investigation has field agents assigned to airports. Cybersecurity is a large and growing part of the FBI's mission, and these field agents can provide airports with information on new threats as well as assist if a successful attack does occur. Read the entire page →
From page 60... ... 60 Guidebook on Best Practices for Airport Cybersecurity topped the list for cybersecurity best practices used or planned to be used in the next 12 months: cybersecurity training for staff (83% of respondents, 24/29) Read the entire page →
From page 61... ... Developing a Cybersecurity Program 61 awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements." While awareness is important, airports that responded to this project's survey indicated that for the most part senior management is aware of cybersecurity but does not consider it a primary concern [4 of 9 (44%) that responded to this question] Read the entire page →
From page 62... ... 62 Guidebook on Best Practices for Airport Cybersecurity receive required security training and (2) personnel with significant security responsibilities receive sufficient specialized training" (FISMA 2013) Read the entire page →
From page 63... ... Developing a Cybersecurity Program 63 with other agencies, dialogue with peer airports, and support from service providers are all ways to maintain a high level of threat intelligence. Program budgets should be periodically updated to ensure that staff and funding resources are available to implement the countermeasures required to protect the airport against current threats. Read the entire page →
From page 64... ... 64 Guidebook on Best Practices for Airport Cybersecurity should be treated as SSI and be made available to only those who need to know and who have agreed to handle this information in a specific manner. • Overreaction to threat may result from increased awareness of cybersecurity threats; for example, threats highlighted in the media may create a sense of panic or at least overreaction that may overly influence decisions to invest in data and systems. Read the entire page →

From page 39...

... 39 Chapter 4 covered how to identify cyber threats, assess their likelihood and impact, and implement countermeasures that provide protection. This chapter discusses how these activities can be supported and sustained by a comprehensive cybersecurity program.