Creating and Using an Airport Threats Analysis Framework

Dr John McCarthy

ServiceTec Research Fellow

Cranfield University / UK Defence Academy

Creating an Airport Threat Analysis Framework

Dr John McCarthy Ph.D. B.Sc. (hons) MBCS

Vice President of Cyber Security ServiceTec International Inc./ServiceTec Research Fellow at Cranfield University / UK Defence

Academy

Partners Cyber-Physical Systems Research Centre

based at Cranfield and sponsored by ServiceTec

Centre for the Protection of National Infrastructures

University of Nebraska Federal Aviation Authority Joint Information Operations Warfare

Centre, Vulnerability Assessment Branch (JVAB) USA

What is it? A means of measuring an airports

capability to resist and recover from cyber-attack – on going research

The problem There is no question that the whole arena of cyber attacks, developing technologies in the information area represent potential battlefronts for the future. I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems Defense Secretary Panetta 2011

The problem – Not just standard IT

SCADA systems

BYOD

Electronic boarding passes

Common Use IT systems with multiple users on multiple machines

Social engineers to take advantage of high staff turnover and a busy environment to access IT systems

Shared Systems

CUPPS

The Problem To emphasize this, Bob Cheong, Chief Information Security Officer of the Los Angeles Airport, report that a variety of cyber-attacks in Los Angeles have occurred in the last several years: there were over 6,400 attempts to hack into a new file

server two days after it was deployed; In a one-year period, nearly 59,000 Internet misuse

and abuse attempts were blocked; Finally, in that same one-year period, 2.9 million

hacking attempts were blocked

The problem – Not just standard IT

• To add to the problem cyber

security policies are deployed and

acted upon during ICT stasis. As

airports rapidly expand ICT

systems may be in a state of flux

• The earlier work by the authors

has shown that this is when they

are at their most vulnerable

• Airports are also made up of

many smaller firms. It has been

noted in many academic works

that small firms are not a capable

of managing ICT and cyber

security

Who is the enemy? • Cyber terrorist

• Hacktivists

• Cyber criminals

• Organized crime

• Disgruntled employees

• Kiddies

• Foreign governments

Dom Nessi In October of 2011,

Dom Nessi delivered an address to the Airports Council International of North America outlining the cyber security threats facing airports, the potential vectors that might be used in an attack, and tactics for securing known vulnerabilities.

Dom Nessi • Amongst Nessi’s threats were several

that were focused on external airport operations, such as:

• external airport or airline websites

• concession point-of-sale

• credit card transaction information

• passenger’s wireless devices.

Dom Nessi However, the overall impact of cyber-attacks on systems external to airport operations is small when compared to attacks on systems required to perform internal airport operations. Nessi points out several potential

targets within this realm, including: access control and perimeter intrusion systems

eEnabled aircraft systems radar systems wireless and wired network systems network-enabled baggage Obviously, a variety of vulnerabilities

occur within cyberspace because of humans, hardware, software, and connection points that provide access to such systems

SCADA - Historical problems Supervisory Control And Data Acquisition

(SCADA) systems act as the hidden computer equipment behind large infrastructures that are essential to maintaining the quality of our life.

These infrastructures include electrical power grids, water purification and delivery, gas, and other utilities, as well as trains and transportation systems.

Legacy SCADA systems, planned and implemented possibly decades ago, were either not designed to be secure, or were designed with “security through obscurity”. In the design and analysis of these systems, features such as physical isolation and technical uniqueness greatly reduced the possibility of cyber attacks.

But this is no longer true with newly designed SCADA systems, and it is no longer as true with legacy systems that might now be connected to corporate networks.

Why is Security an issue for SCADA?

The SCADA environment is different:

SCADA computations and logic have a direct affect on the physical world

Safety and efficiency sometimes conflict with security in the design and operation of control systems

Ordered list of security expectations from SCADA

1. availability

2. integrity

3. confidentiality

16

The Empire State Building

and midtown New York City

are shown during the 2003

blackout. Photo)

SCADA Attacks A water treatment plant near

Harrisburg, PA was attacked. The hacker planted malicious software into the control systems and could potentially have altered or stopped the operation of the treatment plant

The water treatment facility in

Queensland’s was accessed by a disgruntled past employee named who used a wireless connection into the pumping and valve system to route millions of gallons of untreated sewage into a creek adjacent to a hotel

Another often cited example is the

train system in Poland. Four vehicles were derailed when a teenage boy hacked into the SCADA equipment controlling the track switches, using a modified television remote control

An Examination of a Major Hub Airport

Examining a major hub airport in North America the critical driver for increased security has been the implementation of Payment Card Industry (PCI) compliance regulations for secure credit card transactions.

PCI has forced many airports to upgrade and improve security measures or face the loss of revenue from credit card transaction processing.

Without this driver the increase in security measures would have been considerably slower.

An Examination of a Major Hub Airport • There was also a widely held belief that the SCADA systems in the airport

were isolated from the main IT backbone. Often the car parking and baggage control systems were separated from the main IT network by hardware firewalls.

• These firewalls were “assumed” secure by IT staff and it was often unclear who had responsibly for the managing and configuration of these firewalls.

• Additional services could be added to the network without all relevant IT staff being aware of the changes.

• There appeared to be no overarching group or committee that had a direct focus on cyber security measures.

• Security measures were left in multiple hands and ad hoc systems were assumed isolated due to previous hardware and software configurations without ongoing checks and testing.

Towards a Solution Mainstream Cyber Security

measures are often focused on the traditional elements of an IT network and will therefore fall short of fully understanding the cyber needs of an airport

A more holistic approach is needed that encompasses wider elements of the airport’s infrastructure

Taking a multi-disciplinary approach by working with a range of agencies we are moving towards the goal of being able to measure an airport’s cyber resilience and recovery capabilities.

We must create a cyber culture

Towards a Solution Nessi’s assessment settles on four

components within an airport that are vulnerable to cyber attack, each “require a different approach to security:

the network

the device

the application

and the back-end system

His resolutions for securing such systems is by primarily focusing on process, culture, staffing, and training.

Specifically, he recommends continuous software configuration management for software and hardware, and following established updating protocols;

Towards a Solution • “social engineering awareness”

campaigns educating staff on proper use of software, hardware and access points and potential exploits that expose human error and provide access to unauthorized persons;

• performing penetration testing by both those with internal access and by external, third-parties such as external audits by Department of Homeland Security employees or approved vendors.

• Nessi is a supporter of recruiting the right security personnel and continuing their training, opting for Certified Information Systems Security Professional (CISSP) certification.

Towards a solution Full inter agency dialogue

A no “blame culture” about cyber attacks

Banishing the idea of “us and them”

Large airports are “safer”

Smaller ones can swim on there own and are not as important

Every plane that takes off lands, all airports are connected

Playing Dirty - A Red Team Strike

• The red team’s job is straightforward: seek and destroy. A red teamer will use every tool available to compromise a target network and tear down a blue team’s defenses, with the ultimate goal of taking control of one or more critical systems in order to spy, sabotage, or destroy.

• Undertaking this with an airport in the USA this year

Heathrow Dependency Modelling

To fully understand how all the systems work together we need to create a dependency model – what happens when?

We are undertaking this research with the Centre for the Protection of National Infrastructures at Heathrow

Unless we fully understand how our dependencies operate we cannot understand our systems and environment

Risk Management really is a matter of life or Death!

19/10/2011 26 Bow Ties and Incidents

How to Manage my Risk?

I’ve done this often

before

Will my boss/shareholders support me if ..…?

I want to be safe

Is it different from usual?

save time

save ££££

I like to do a good

job

be safe

I want the business to succeed

I am judged on….

Does doing this feel right?

19/10/2011 27

Our aim from a traditional military viewpoint

A Multi Agency Approach • Many agencies and governments

favour a multi-lateral approach to

solving cyber security.

• Thus any analysis framework

must be undertaken from a multi-

agency perspective.

• To ignore this perspective may

allow cyber threats to go

unnoticed or allow cyber

responsibilities to fall between

parties and not be resolved.

How do we achieve this across multiple agencies, disciplines

and even countries? • Tough challenge

• Will we need a cyber Perl Harbor before we react?

• Raised more questions than answers

• Would you like to get involved?

“

”

I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems Defense Secretary Panetta 2011

Email: john.mccarthy@servicetec.com

www.airportcybersecurity.com

Airport Cyber Security Podcast