Cyber security is a growing enterprise-wide issue and permeates every aspect of modern life. Airports are part of the critical infrastructure and thus are particularly vulnerable to internal and external cyber threats and attacks from criminals, terrorists, or foreign actors.
Cyber threats affect more than traditional IT infrastructure such as email and the Internet. Many airports also rely on SCADA-type industrial control systems for such systems as HVAC, utilities, baggage systems, and business processes such as facility management. Airport directors may believe that SCADA-type systems are secure due to their limited or lack of Internet access and/or because they are physically secure, but they too pose risks to the organization.
The move towards employees preferring to use their personal devices for work, such as smartphones and tablets [which is known as Bring Your Own Device (BYOD)], is becoming ubiquitous. Increasingly, this is occuring at airports where airport personnel are also wishing to bring their own devices into the workplace. But this can be problematic if these devices interact with enterprise systems, such as email and provide VPN access. Devices can be used to introduce viruses or surreptitiously gather information. Employees can unknowingly introduce viruses and allow nefarious users access to enterprise systems by visiting reputable websites (such as their local newspaper), clicking on a link in an email, visiting social media sites, or by inserting an infected USB drive in their computer or device.
These risks can’t be eliminated, but implementing industry standards, best practices, and an awareness program for all employees can help mitigate them. Airports can also use their existing relationships with local, state, and federal law enforcement agencies to assist them with identifying and responding to anomalous activity to ensure an appropriate response and resolution.
The objectives of this research are to develop (1) a guidebook to help airports develop and/or maintain a cyber security program and (2) multi-media material(s) that address risk awareness by highlighting the different cyber security threats likely to be confronted by airports that can be used by cyber security/IT professionals to educate airport staff. The guidebook should address at a minimum:
- Industry standards, policies and procedures, and best practices for IT security systems;
- Threat and risk awareness for executives and staff;
- Initial and recurrent training needs;
- Integrating cyber security practices into existing business processes;
- Leveraging federal, state, and local agency relationships; and
- Legal responsibilities and reporting requirements.
The standards, policies and procedures, and best practices should address at a minimum the following areas:
- Identifying and responding to criminal activity or suspected criminal activity
- Data privacy
- Emerging technology threats and risks
- Identifying anomalous activity
- Managing third-party vendors and service-level agreements
- Managing other airport IT infrastructure users (e.g., airport tenants, passengers)
- Mitigation techniques
- Network access control including wi-fi and remote access
- Ongoing maintenance and management,
- Social media
- Social engineering
The ACRP is seeking the insights of proposers on how best to achieve the research objectives. Proposers are asked to develop and include a detailed research plan for accomplishing the project objectives. Proposers are expected to describe research plans that can realistically be accomplished within the constraints of available funds and contract time. Proposals must present the proposers' current thinking in sufficient detail to demonstrate their understanding of the issues and the soundness of their approach to meeting the research objectives. The work proposed must be divided into tasks and proposers must describe the work proposed in each task in detail.
The research plan should include appropriate interim deliverables that include at a minimum: (1) review and approval of a data collection plan; (2) review and approval of the list of the standards, policies and procedures, and best practices that are to be included in the guidebook; (3) review and approval of the outline of the guidebook and a detailed outline or mock-up of the multi-media material(s); and (4) an interim report that describes the work done in previous tasks and provides an analysis of the information collected, with recommendations for subsequent tasks.
The research plan should build in appropriate checkpoints with the ACRP panel, including at a minimum: (1) a kick-off teleconference meeting to be held within 1 month of the Notice to Proceed, (2) one face-to-face interim deliverable review meeting, and (3) web-enabled teleconferences tied to the panel review and ACRP approval of other interim deliverables deemed appropriate.
The final deliverables will include: (1) the guidebook, (2) the multi-media material(s), and (3) a final report that documents the entire project that includes the research team’s recommendation of research needs and priorities for additional related research for ACRP.
Status: The panel is has selected a contractor and the contracting process is underway.