Cybersecurity: Keeping cyber secure

Airports face a range of different threat horizons and attack vectors, ranging from criminal gangs and opportunist hackers to political activists and cyber terrorists. Keeping pace with new cybersecurity developments and mitigating current threats is a challenge every airport faces.

Mainstream cybersecurity measures are often focused on the traditional elements of an IT network and will therefore fall short of fully understanding the cybersecurity needs of an airport. In my view, a more holistic approach is needed that encompasses wider elements of the airport’s infrastructure.

Recent technological developments and moves to increase efficiency have resulted in the merging of traditional IT networks with SCADA (Supervisory Control and Data Acquisition Systems). Now airports often have homogenous networks that are bolted together with cybersecurity as an afterthought. This is a challenging and complex problem. Additionally the use of BYOD (Bring Your Own Devices) to create electronic boarding passes and the use of internet-based services has created a borderless network. Thus the challenge facing airports is a constant moving technological platform that requires the cooperation of multiple departments and disciplines across the airport to manage security effectively.

In the wider arena, airports form part of a nation’s critical national infrastructure and therefore have national responsibilities as well as local operational demands. Thus unique reporting procedures to government are required. All this is happening in an environment of uncertainty and rapid technological change.

Solving the problem in a silo

Cybersecurity is a hot topic and over the past year I have attended meetings at large and small airports in the USA, Europe and the UK. I have met with senior level board members as well as IT security experts, all of whom are anxious to understand the ‘cybersecurity’ problem and how it relates to them. And this is the key point – they want to understand it from their own perspective. Unfortunately, cybersecurity touches all elements of airport life and therefore does not easily fall into a convenient silo.

In recent years we have seen a new level of interconnectedness of devices and systems and therefore to fully understand this and how it impacts upon cybersecurity we need to examine the problem from outside the traditional boundaries of departmental logic. In fact I think it needs to encompass elements outside of the airport itself.

This is challenging, because as much as people are keen to do what is required, they often don’t fully understand the role they need to play. So how do we create a common purpose and outcome for all the players? IT and technical players will want to apply technical solutions to the cybersecurity problem, and in many ways they are right to do so. Managers may examine a risk-averse solution and strategy, while government will want assurance that all is being done to protect the critical national infrastructure. So what is the answer?

Many would like to tick the ‘cyber’ box as done. Will cybersecurity become a part of the risk-averse strategies of airports and become a quarterly meeting agenda item? In many ways I hope not. Academics and scientists, both in the UK and USA, are proposing solutions to measure and ensure cybersecurity resilience. Many are still in their infancy and yet to be fully tested. These I am sure will evolve into a workable solution for some of the larger airports which have the resources to implement these frameworks.

Smaller airports with fewer resources will be faced with a quandary. How do they implement these complex frameworks when they do not have the staff, resources or money? At present, the government is focusing on major airports and cannot see how to help smaller airports outside of providing free literature and online advice.

We should remind ourselves of this simple fact: Every aircraft that takes off at one airport lands at another. The ecosystems of airports’ IT systems are intertwined on many levels. Therefore to focus on a large airport alone is like putting a steel door on the front of your house while leaving a window open.

Working towards a holistic solution

To have any chance of success, a cybersecurity solution needs to encompass every airport – large and small. This is a challenging task and requires a step change in working practices where airports which have different owners will have to work together. And this will not come easily or naturally. Sadly we may need a major cyber incident to kick-start this level of cooperation. I hope not.

Much of my research over the past year has been to examine how we can create a common solution that fits both large and small airports in equal measure. At the Cyber-Physical Systems Research Centre, based at Cranfield University and sponsored by ServiceTec, we are examining how this could be achieved. One key area of importance is the interface between systems. This is often where they are at their most vulnerable. Huge sums have been spent creating technological interfaces, but what about the need for airport staff to understand cyber terminology? Here is an example where technical interfaces are well developed but the systems are vulnerable in other ways.

One common threat that is often overlooked is social engineering. The threat from social engineering is ever present and airports often have Common Use IT systems with multiple users on multiple machines. This offers many opportunities for social engineers to take advantage of the high staff turnover and busy environment to access IT systems. The systems themselves are also complex to secure as they house multiple applications on multiple nodes with differing operating systems. An adept social engineer could create havoc at a major airport simply by entering the systems via a smaller airport.

In this scenario we see it is the human element that is the weakest. We have heard this many times before but how do we strengthen the soft elements of airport cybersecurity? We need to develop common goal and language that is global in its reach and understanding. We need to create a cybersecurity culture where cyber hygiene and good practice are second nature to everyone.

We like to think of ourselves as being technologically-advanced, and we are, but many of us fail to understand how simple cyber hygiene could avert many of the attacks and problems facing us today. Our understanding of how we operate in a cyber environment in still very much in its infancy. Let’s look at some examples. It was only a few years ago that major viruses were spread via the internet by opening email attachments. Many of us did not know the risks, and those magic words in the subject line saying ‘I love you’ meant common sense left us long enough to open and transmit the virus. We are, I hope, now much more wise to this type of virus but how many of us would see a USB flash drive as a free gift and load it on our workstations? This is a common attack vector for social engineers who often leave USB drives lying around in car parks for unsuspecting victims to pick up. In other areas of our life we have good hygiene practices. We wash our hands after using a washroom and cover our mouths when we sneeze. We need to develop similar cyber hygiene practices inside and outside of our workplaces.

So my view is to start simply with good cyber hygiene practices. Get everyone in the airport involved, start from the top, and lead by example. We need simple messages on good cybersecurity practices that everyone at all levels of the organisation can understand and can adopt.

Once we have a good cybersecurity culture all departments in the airport will understand each other’s needs in relation to cybersecurity so much better. Many of the hurdles we now face in relation to bringing parties together to solve cybersecurity problems will be easier to overcome. Our relationships with external authorities and other airports will be easier as we will understand each other’s needs and we will support each other in achieving them. Depending on your point of view this may sound over ambitious or too simplistic. Either way, creating a common goal with familiar language will go a long way to help foster a healthy cybersecurity culture and thus address many of the cybersecurity problems we face today.

Biography

Dr John McCarthy is a world-renowned authority on cybersecurity strategy, development and implementation. He holds a PhD in Cybersecurity and eBusiness Development and has authored a number of academic papers discussing all aspects of cybersecurity in the modern world. At Cranfield University John heads a research team examining the potential cyber threats to IT systems within airports. John also sits on a number of prominent U.S. committees offering advice and policy guidance to the U.S. Government on cybersecurity matters. He is also a panel member of the American Transport Research Board, an active member of the British Computer Society, Elite and the International Committee on Information Warfare and Security.

John chaired and delivered sessions at International Airport Review’s two 2013 conferences – Airport Security and Airport IT&T, and is frequently invited to sit on expert panels and appear as an expert speaker at well-known cybersecurity events. He joined International Airport Review’s Editorial Board in January 2014.