There are two kinds of people out there, those that have been hacked, and those that just don’t know it yet.
Cyber is the new battlespace and it’s not just IT’s problem. It’s an airport security problem, and there’s a reason your Chief Information Officer is your new best friend. Cybersecurity incidents are on the rise, both globally and nationally. The average cost of a security breach is upwards of $7.35 million, with over 1.4 billion data records exposed every year.
How prepared is your airport to prevent or recover from a cyber-attack? A 2020 survey conducted by ImmuniWeb study showed that 97 out of the world’s 100 largest airports, failed to pass cybersecurity testing. Most airports had outdated software, had known or exploitable vulnerabilities, and either lacked secure sockets layer (SSL) encryption or were using obsolete versions. Don’t know what SSL is, you should.
On October 10th this year, over a dozen airport websites were brought down using a DDoS (Distributed Denial of Service) attack. Although the attack didn’t cause permanent damage, it should put our industry on notice that airports are not immune from cyber-attacks. It also likely exposed weak spots in our information technology systems for possible future exploitation. Don’t know what a DDoS attack is? You should.
In 2019, the Albany County Airport was the victim of a ransomware attack, which captured encrypted administrative files such as budget spreadsheets. Although airport operations were not affected, the airport’s insurance carrier authorized a bitcoin payment to the attackers of “under six figures.” Two hours later the airport received an encryption key allowing the data to be restored. Don’t know what a ransomware attack is, you should.
Since cyber-attacks don’t appear as traditional aviation security threats, like bombings, hijackings, or active shooters, Airport Security Coordinators (ASCs) may think that cybersecurity is just an IT problem. But according to TSA, it’s not. Nor should it be. Last year, TSA required airports to appoint a Cybersecurity Coordinator, (CSC) and then proceeded to look at revising several aviation security programs to better address cybersecurity. There are several changes that have been required with the latest revision currently on-hold, but you can expect the agency will circle back on this evasive and evolving threat.
Today’s aviation security threats aren’t just bombs, guns, and knives, they are ones and zeroes, and the results of the attack can be costly and devastating. The good news is, most of the attacks can be prevented or mitigated through good employee and contractor cybersecurity practices. Many attacks come from former employees, whose access to the business’s IT systems hadn’t been changed since their employment ended. A significant number of other attacks are inadvertent and relate to poor cybersecurity workplace practices. Conducting regular audits and updates of your IT systems, plus annual cybersecurity training and individual testing, are just some of the basic methods to reduce the odds of your IT systems being attacked.
Most recently, AAAE updated the Certified Member Body of Knowledge and the Airport Certified Employee-Security Body of Knowledge modules. In both cases, there were significant expansions to the cybersecurity and information technology sections to reflect the growing threat of cyber-attacks, and the importance of IT to the airport and the National Airspace System.
Aviation security changes over the years have been a series of threats and events that result in TSA issuing new security procedures. Typically, these procedures require inspections, patrolling and other manpower intensive requirements. In the current environment, cybersecurity is a different animal and support doesn’t come from the traditional resources like contract security companies and equipment.
Many airports have placed their physical access control systems, including the badging component on internal secure networks to protect these vital systems. As airports are updating access control systems and many are adding identity management systems, the newer systems have cloud-based elements that now include exposures outside internal secure networks. Credentialing offices have always had a significant responsibility in protecting badge applicant personally identifiable information (PII) and with these system migrations cybersecurity has become a significant challenge.
Looking ahead airports should be thinking about all new Information Technology (IT) and Operational Technology (OT) system projects planned or under design. A cybersecurity review should be part of the project plan to ensure cybersecurity is necessary and if necessary, properly addressed. Additionally, when a system is implemented, prior to going live the airport should conduct penetration testing. Many airports do not have the in-house expertise for both the review and penetration testing, best practice is bringing in a qualified third-party, especially for the penetration testing. Finally, once the system is implemented it must be monitored like all other IT/OT systems that currently require monitoring and incident reporting.
Airport security and IT staff have always had relationships regarding access control and other security systems; however, cybersecurity reporting requirements have changed these relationships and require further cooperation and communication.
By Jeffrey C. Price C.M., Lori Beckman A.A.E., and Brittany Blish
Written for the 2022 AAAE Annual Aviation Security Summit.
Train your airport security team on the cyber security by sending them to our ACE Security courses and ACE Trusted Agent courses. Click here to learn more.