Cyber security is a growing enterprise-wide issue and permeates every aspect of modern life. Airports are part of the critical infrastructure and thus are particularly vulnerable to internal and external cyber threats and attacks from criminals, terrorists, or foreign actors.
Cyber threats affect more than traditional IT infrastructure such as email and the Internet. Many airports also rely on SCADA-type industrial control systems for such systems as HVAC, utilities, baggage systems, and business processes such as facility management. Airport directors may believe that SCADA-type systems are secure due to their limited or lack of Internet access and/or because they are physically secure, but they too pose risks to the organization.
The move towards employees preferring to use their personal devices for work, such as smartphones and tablets [which is known as Bring Your Own Device (BYOD)], is becoming ubiquitous. Increasingly, this is occuring at airports where airport personnel are also wishing to bring their own devices into the workplace. But this can be problematic if these devices interact with enterprise systems, such as email and provide VPN access. Devices can be used to introduce viruses or surreptitiously gather information. Employees can unknowingly introduce viruses and allow nefarious users access to enterprise systems by visiting reputable websites (such as their local newspaper), clicking on a link in an email, visiting social media sites, or by inserting an infected USB drive in their computer or device.
These risks can’t be eliminated, but implementing industry standards, best practices, and an awareness program for all employees can help mitigate them. Airports can also use their existing relationships with local, state, and federal law enforcement agencies to assist them with identifying and responding to anomalous activity to ensure an appropriate response and resolution.
The objectives of this research are to develop (1) a guidebook to help airports develop and/or maintain a cyber security program and (2) multi-media material(s) that address risk awareness by highlighting the different cyber security threats likely to be confronted by airports that can be used by cyber security/IT professionals to educate airport staff. The guidebook should address at a minimum:
- Industry standards, policies and procedures, and best practices for IT security systems;
- Threat and risk awareness for executives and staff;
- Initial and recurrent training needs;
- Integrating cyber security practices into existing business processes;
- Leveraging federal, state, and local agency relationships; and
- Legal responsibilities and reporting requirements.
The standards, policies and procedures, and best practices should address at a minimum the following areas:
- Identifying and responding to criminal activity or suspected criminal activity
- Data privacy
- Emerging technology threats and risks
- Identifying anomalous activity
- Managing third-party vendors and service-level agreements
- Managing other airport IT infrastructure users (e.g., airport tenants, passengers)
- Mitigation techniques
- Network access control including wi-fi and remote access
- Ongoing maintenance and management,
- Social media
- Social engineering
Status: The panel has reviewed the interim report. The guidebook is expected July 2014.