Security: The hidden ‘insider’ threat of the aviation sector

To define the insider threat more clearly, we first need to understand what constitutes an ‘insider’ within an aviation context. Essentially in an airport environment, an insider is an individual who exploits their knowledge or access to their airport, airline, or organisation’s assets, for unauthorised purposes. So, the insider could be virtually anyone, including an employee, contractor, consultant or anyone else who has legitimate access to their organisation’s information or assets. This problem is especially difficult to manage when you consider the interdependencies and wealth of information that moves around an airport.

So why are insiders so dangerous? The danger presented by an aviation insider is that they already understand the external security of airports and aviation assets and will be able to exploit their knowledge of these security measures. Many aviation insiders potentially also have access to the most critical and sensitive parts of an airport. They are already in a position of trust and might hold an access badge to an airport’s airside, for example. Given this enhanced level of access, they are more likely to be able to identify vulnerabilities and target the weakest areas within their airport.

What motivates an insider?

The motives of an insider can be varied and can include gaining financial advantage through low-level or organised crime activities. They can be issue-driven (e.g. environmentalist groups), terrorism focused, or an individual may become an insider simply because they are disgruntled or unhappy with the way they have been treated by their organisation. However, the motivation may also be due to a combination of the above factors. Motivation is a complex issue, as two employees may be faced with an identical situation, while only one may decide to act against the interests of their organisation.

Methods of attack

Once an insider has decided to act, their attack methods can vary. These can include sabotage or damage of assets or infrastructure, facilitation of unauthorised third-party access, unauthorised disclosure of data or information, theft, or even financial corruption. For those with criminal and/or financial motivation this could take the form of smuggling drugs or other commodities to, or from, their country via aircraft or cargo. I would suspect that all airports have criminal activity taking place within them, and much of this activity by its very nature requires the involvement of an insider in some capacity.

Examples of criminal insiders within airports exist globally, from the insider cocaine smuggling conspiracy among a number of British Airways cargo workers at Heathrow Airport in 2013, to several TSA screeners charged for allowing large amounts of drugs to pass through X-ray machines at Los Angeles Airport in 2012. Another example of smuggling in an airport environment took place when an insider carried out a gun smuggling plot to bring large numbers of firearms into JFK International Airport. The commodity is irrelevant, as the same exploitation of vulnerabilities will be present, and it is the gross breach of trust that is arguably of greatest concern.

The consequences of a terrorist insider can be even more catastrophic; for example, in the case of Rajib Karim, a worker within British Airways IT department. During a strike by flight crew he attempted to get a temporary position as a flight attendant with the aim of smuggling a bomb on board a British Airways aircraft, fortunately his plans were thwarted. However, in the case of Russian Metrojet flight 9268 (2015), it is believed that a mechanic at Sharm El-Sheikh International Airport was able to plant a bomb on the plane resulting in the deaths of 224 passengers. In February 2016, a further incident involving airport insiders occurred on Daallo flight 159 travelling from Mogadishu, Somalia to Djibouti City, where two airport workers, believed to be associated with Al-Shabaab, helped smuggle a laptop bomb on to the plane, which later exploded. Fortunately, the pilot managed to land the damaged plane safely.

With access to sensitive data, cyber attacks are just one way an insider can be a threat

Identifying the insider threat

Much attention has been given to behavioural indicators of potential insider threat actors. However, everyone has life experiences where their behaviour could potentially change from time to time. While obvious lifestyle and behavioural indicators such as an employee becoming rich for no apparent reason; someone becoming more reclusive and disengaged from colleagues; an employee carrying out unauthorised or suspicious activity; through to an employee expressing strong and hostile views against their organisation, may be seen as insider threat indicators, they may also be due to some other issue such as workplace bullying, bereavement, lifestyle stressors or the triggering of psychological vulnerabilities.

However, indicators can be important where they are repeated and there is an unaccounted change to usual behaviour. The key factor is that someone needs to take responsibility to act appropriately when these indicators are present.

What makes this complex is that there is no standard profile of an insider. However, certain traits have been found to be present in some insiders. These include excessive feelings of self-importance, arrogance in their dealings with colleagues, a manipulative nature, displaying a superficial persona with colleagues, and impulsiveness in their decision-making. Nonetheless, as well as some insiders possessing high self-esteem, others have been found to suffer from low self-esteem. If you look at your work environment, I am sure many of the above traits can be found, however, possession of these traits does not necessarily mean they represent an insider threat!

Malicious or unintentional insider?

While the common understanding of what constitutes an insider focuses on the ‘malicious insider’ who knowingly undertakes their action, an equal danger exists through the actions of the ‘unintentional insider’.

Many employees by their actions unwittingly leave themselves and their organisations vulnerable to infiltration or attack e.g. through the use of social engineering. Within a dynamic environment, such as the aviation sector, these actions could potentially lead to loss of life, destruction of infrastructure, financial loss, and reputational damage to aviation organisations. While the unintentional insider is not aiming to harm their organisation, the impact of their omission or failure to comply with procedures could be equally as devastating as the impact from a malicious insider attack.

The exploitation of vulnerabilities

Everyone is vulnerable at some point in their life, be it through bereavement, divorce, financial issues or other personal circumstances. An employee suffering from depression, loneliness, mental illness, or who is a victim of an addiction such as drugs, gambling, or alcohol, is vulnerable to external exploitation. Indeed, mental health and substance abuse is a growing concern worldwide, and the aviation sector is not exempt from this issue.

For example, former British Airways pilot, Julian Monaghan, was convicted of being drunk on duty, after he was removed from a flight from London Gatwick to Mauritius, shortly before take-off, when cabin crew smelled alcohol on his breath. As an addiction gets worse, coping mechanisms fail, life breakdowns begin to occur, and, in the late stages of addiction, an individual will go to dangerous lengths to service their addiction.

In recent years, several at-risk airport insiders have created vulnerabilities within the aviation sector, and in some cases have caused damage to their organisations.

How can you combat the insider threat?

So, how can your organisation deal with the threat from insiders? Unfortunately, there is no ‘silverbullet’ to solve the problem. An insider may have several issues which are occurring within their life and which cause them to work against the interests of their organisation and fellow workers. While financial motivation may play a significant role in an insider acting against their organisation, this may potentially be coupled with disaffection or disgruntlement over their treatment by their organisation and their colleagues.

If you are going to attempt to deal with insider threat activity, it is necessary to adopt a holistic and integrated approach to organisational security. This would focus the greatest activity on critical parts of the organisation such as IT systems, client information, and critical infrastructure. Mitigation measures that should be considered include:

• Obtaining strategic buy-in to the development of an insider threat programme
•  Identifying key infrastructure and assessing potential vulnerabilities which could be exploited by an insider
• Undertaking strategic and personal level ‘insider threat’ risk assessment processes
• Creating robust pre-employment screening and recruitment processes to prevent insider infiltration
• Identifying and developing on-going security measures to address the issue of insiders already within your organisation
• Creating an effective organisational security culture to mitigate the opportunities for insider attack, always fostered from the top (of the organisation) to all levels, with a permanent support structure and engagement by senior management
• Developing an insider threat exercising programme for management, to identify insider mitigation measures and understand the organisational impact of an insider attack
• Creating an environment where the pursuit of improvement is normal and natural, enhancing resilience and capacity to deal with every kind of insider threat
• Implementing staff education/training, and developing key processes, to reflect insider threat concerns.

The above measures are only a small part of a wider insider threat response; however, they are worthy of consideration if you wish to combat and mitigate against the threat from an insider within your own organisation.