It’s a sure bet that Michelle Obama and Mel Gibson never expected to see their credit reports posted on a Russian website. And it’s unlikely the Chinese government believed itself vulnerable to systematic cyber-espionage. But Obama and Gibson’s credit reports did show up online and the Chinese government was indeed a victim of cyber espionage. It appears no one is truly safe from cyber attack.
While the attacks were not aimed at U.S. critical infrastructure—water, power, communications and transportation systems, it is likely that hackers routinely probe these systems for weaknesses and vulnerabilities.
There are also a growing number of overseas examples where critical infrastructure has been targeted to underscore that this possibility exists. In 2012, an attack against Saudi Arabia’s state-owned oil company, Saudi Aramco, destroyed more than 30,000 computers. Though the hackers attacked Saudi Arabian infrastructure, their message toward the United States was abundantly clear—as each computer was infected a burning American flag illuminated the screen. And, Stuxnet, a computer worm discovered in June 2010, attacked Iran’s nuclear facilities by targeting their Siemen software and equipment through Microsoft Windows. While it is not the first time hackers have targeted industrial systems, Stuxnet is the first worm built to spy on industrial systems as well as reprogram them.
In the air transport industry (ATI), cyber-attacks in India and South Korea and, closer to home, in Florida, show ATI is not immune to cyber threats.
But before airports can become more secure, airport directors need to identify where vulnerabilities lie. The following list is designed to help airport management pinpoint potential trouble spots. This is not an exhaustive list—cyber threats change rapidly, almost daily it seems. Airport administrators will need to review this list annually to add and remove focus areas as necessary.
Protect the “Front Door”
An airport’s communications network is the “front door” to the confidential privacy and financial information it maintains. Your email, stored documents, badge information, financial transactions, personnel records all traverse a communications link that you, as an airport manager, probably consider incomprehensible. While you may never understand it from a technical perspective, you can and should ask your IT team the following questions (and expect answers in non-technical language):
- Do we have layered security? This is fundamental. Network security is not just about running anti-virus software on every PC. It’s all-inclusive. This means that from your desktop to the Internet, you have protection. A good follow-up question is whether or not your IT team has had an external entity perform “penetration testing.”
- Have we invested in unified threat management devices (UTMs)? UTMs are an integral part of a layered security solution and include firewalls, content filtering, VPN (virtual private networks), and intrusion detection technologies.
- Have we secured all of our network “endpoints”? An endpoint is anything that can attach to your network, whether it’s a server or a USB drive. Pay particular attention to those small portable devices; like USB drives that are distributed by the hundreds at every airport convention. They can be carriers of threats when improperly handled.
- Have we properly “patched” our network? There are a number of routine network “housekeeping” tasks that should be part of your everyday security routine. Keeping all of your software updated is one. This not only includes Windows updates and patches for servers and clients, but applications and firmware upgrades on routers and switches. Many of these updates contain security fixes and patches.
Secure Your Transactions
Closely linked to your network is the security of credit card information. It requires special consideration as a breach in this area could cost an airport millions of dollars. There are three critical questions the airport director should ask its IT team:
- Are we storing credit card information in any airport systems?
- Does any credit card information go through our network?
- If the answer to either question is “Yes,” then ask: Are we PCI compliant? The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements designed to protect and secure credit cardholder data. It was developed by a consortium of financial institutions, including American Express, Discover Financial Services, JCB International, MasterCard and Visa. The objective of PCI-DSS is to establish a global standard for data security on credit card transactions. It includes standards for security management, policies, procedures, network architecture, software design, and other protective measures. An excellent and easy to use guide, (ACRP Research Digest 11), was developed by Barich Inc. and commissioned by the Transportation Research Board (TRB). It can be found online at: www.nap.edu/catalog.php?record_id=14436
Cover Your Communications
Has the IT team reviewed every aspect of the airport’s communications services from a cyber-security aspect? Everything from free passenger WiFi to network services provided to airline maintenance shops carries potential risk. A growing number of hot-spot users are suing service providers after being hacked. And, with the increasing presence of e-enabled aircraft, airlines must be assured these networks are well-protected.
Defend Your Databases
Every airport maintains a variety of enterprise databases storing personal information, including that of airport employees and airport community badge data. Ask the IT team if they have implemented additional security measures for those specific applications. Of particular concern would be any employee medical records that fall under the purview of the Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) may impose a penalty for failing to comply with privacy rules.
Safeguard Your Control Systems
Control systems are increasingly being targeted in cyber-attacks. Airports have a large number of control systems from building management systems to utility systems to baggage systems. Ask the IT team if they have conducted an in-depth analysis on the security of the facility’s control systems. You may wish to ask if the cyber-security of airport control systems is even managed by the IT team; historically, these systems have been operated by non-IT staff. As control systems became more sophisticated Internet connections were added to provide off-site monitoring. In many cases, this change went unnoticed and personnel without an IT background suddenly found themselves in charge of IT networks.
Manage Your Mobile Security
The growing popularity of mobile devices presents a new challenge in cyber-security. Smartphones, lightweight laptops and tablets are proliferating in large numbers and in a seemingly endless variety. Ask the IT team the following:
- Do we allow employees to use their own device (called BYOD), and what are our policies for ensuring that sensitive or confidential data is not leaked through loss of such devices?
- Have we established standards on what mobile devices may be allowed into our environment and were those standards based on cyber-security principles?
- What safeguards have we implemented to ensure mobile devices will not be access points for malware to enter the airport network?
Engage Your Employees
Your employees are your weakest link. No matter how effectively you secure your network, airport administrators still have to contend with end-users, who are often responsible for the biggest security breaches. Many employees simply lack knowledge about good security practices.
Airports need to develop an internal cyber-security policy and then educate end-users about this policy. Give special attention to users who work from home or on the road. Ask the personnel department, legal counsel and IT team if the airport has established needed policies to keep its IT assets safe. Everything from PC usage policies to standards of conduct must be adapted to the modern IT environment. The following are critical areas for review:
- Perform employee background checks. Many businesses are robbed by their own employees underscoring the importance of hiring the right people from the get-go. A background check is not perfect, but it will eliminate candidates who have had problems in previous positions.
- Institute use policies. Be sure there are policies in place to help employees practice online safety and network security. A simple but effective password policy is critical. Do you have one? At times, identity theft or fraud can be unknowingly committed by an employee. Make sure employees follow policies and protect themselves and the company from virtual intruders.
- Separate duties for employees engaged in the airport’s financial systems. A single employee should not have full authority over financial transactions. Assign several people to handle different aspects of each financial process. For example, one person might initiate purchase orders, another might handle the accounting for incoming purchases, and a third might prepare checks for payment.
Exercising the practical safeguards listed in this article can be the difference between staying cyber-safe and becoming tomorrow’s headline news
Dominic Nessi, Certified Information Systems Professional
Dominic Nessi is a certified information systems security professional (CISSP) from ISC(2) and serves on the organization’s North American Advisory Board. He is also the deputy director/chief information officer at Los Angeles World Airports found at www.LAWA.aero. He may be reached at firstname.lastname@example.org.