The airport professional's source for airport industry news, articles, events, and careers.
Issue link: http://airportbusiness.epubxp.com/i/397645
COVER STORY airports have a long ways to go, both in the United States and internationally, to meet the challenges of today's cyber threat. That's not to say that individual airports haven't excelled in terms of cyber security, but many airports still have work to do." CAUSES OF CYBER INSECURITY Dr. John McCarthy, cyber security fellow at Cranfield University and head of research with the International Centre for Airport Cyber Research, says airport systems are extremely vulnerable to attack for three key reasons: • Airports are very political environments with many different stakeholders. Just getting all the stakeholders in the same room to discuss a common problem can be an issue, he says, adding that many times all those managing vulnerable systems aren't even included in the discussions about cyber security. • The Cloud. As airports migrate to the Cloud, it's critical to know who owns the data and how it's being managed. But those things are not always considered, he says. • Airports are cost driven. Without adequate funding, airports might not invest in the technologies and people needed to secure their networks. • All airport systems, from the baggage han- dling system to the moving walkways to security cameras, reside on a single network, and can be remotely controlled—a boon for system operators but an inherent security risk. "There are multiple operations, from multiple vendors, all residing on the same network," McCarthy says. "But these sys- tems were never designed to put on public networks and it's a huge problem." Couple those issues with the explosive expansion of broadband and you have a problem of epic proportions. "Now everyone is on the Internet. Everything is accessible from every- where at all times," he says. "But we haven't embraced this in terms of our own security." WHERE VULNERABILITIES LIE According to Nessi, safety and security systems, baggage and handling technology, and the building's facility control systems are attractive targets for cyber crooks. But in stark contrast, says McCarthy, most airport cyber security efforts focus on the traditional IT network, and not on these systems. "Recent technological developments and moves to increase efficiency have resulted in the merging of traditional IT networks with SCADA (Supervisory Control and Data Acquisition Systems). Now airports often have homogeneous networks that are bolted togeth- er with cyber security as an after thought," explains McCarthy in "Cybersecurity: Keeping Cyber Secure." This phenomenon means that some of the more innocuous appearing systems pose the most risk. For instance, many people would not lump industrial control systems into their cyber vulnerabilities. But HVAC, airfield lighting, automated parking systems, automated people movers, and baggage systems all provide entry points into an airport's network. "These systems are at risk because most people don't think that they are being targeted," Allen says. "They don't even think of them as being connected to the Internet. If you don't at least start looking at your risk associated with your critical systems and putting some controls around them, you're very vulnerable." Another area to consider, says McCarthy, is the airport Website. McCarthy recently per- formed a hacking demo at an airport in Rome where he breached their Website and placed a message on it. "A hacker could cause colossal damage to an airport through a system most people don't even think to protect," he says. "They hack into the Website, change your parking URL to a nearly identical one that they own, send out a phishing email to your customers telling them they'll get 50 percent off their parking if they book online, and all of this money goes to the hackers. And they haven't even touched the IT system in the airport!" DIGITAL DEFENDERS Nessi recommends taking the Defense in Depth approach to cyber security. Defense in Depth is defined as the coordinated use of multiple security countermeasures to protect the integrity of an organization's information assets. The idea is that it's more difficult to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in Depth minimizes the proba- bility that malicious hackers will succeed by employing a well-designed strategy that aids system administrators and security person- nel in identifying attempts to compromise a computer, server, proprietary network or ISP (Internet service provider). Should a hacker gain access, Defense in Depth minimizes adverse impacts and gives administrators time to deploy new or updated countermeasures to prevent recurrence. This strategy utilizes antivirus software, firewalls, anti-spyware programs, hierarchical passwords, intrusion detection and biometric DOM NESSI'S TIPS FOR BETTER CYBER SECURITY f Hire good cyber security people to monitor your systems. Those certified by (ISC)2 have the training needed to adequately protect IT data and systems. f Place cyber security professionals in the right areas. They need to be in a position to oversee IT operations and the IT environment in an unfettered manner. f Give cyber security experts the authority to raise issues that might be unpopular. f Remember cyber security is a 24/7 business. You have to commit to dealing with it 24 hours a day, seven days a week. "Cyber security is an issue that impacts your board, your C-level suites, your technology, etc. It's not just your IT people," he says. 26 airportbusiness October 2014 "Here's the scary part about these incidents: They are attacking and targeting airports– and nobody really knows why." ANDRE ALLEN, INFORMATION AND CYBER SECURITY MANAGER, GCR INC.