by James E. Gilbert
October
22, 2011
Abstract
The
protective measures safeguarding the airline industry face a multitude of
threats in the modern era. Just as
security fundamentals changed in the days following September 11, 2001, today the international community is forced
to combat the newest peril to air travel: cyberattacks. The following paper discusses the potential
risks cyber threats pose to airline passengers and outlines a proposal to harden
the digital infrastructure at international airports. The paper concludes with an implementation
plan that focuses on the advantages and disadvantages of employing a
cybersecurity policy in terms of time, cost, and convenience.
Introduction
In
a 2008 study conducted by wireless provider AirTight Networks, researchers
found fourteen airports in the United States, Canada, and Asia with inadequate
or nonexistent wireless security. Over
three quarters of the Wi-Fi networks were private and based on an in-depth
analysis, AirTight estimates there was a significant probability a portion of
these networks were used for internal airport operations. Sri Sundaralingam,
senior director of product management at AirTight, details how researchers at
his company were able to detect the unsecured networks with off-the-shelf
software and equipment. As a potential
threat, Sundaralingam theorizes how simple it would be for hackers or
terrorists to “work their way into the baggage transition system and reroute
luggage all over the world.” Although
seemingly innocuous, this incident could have far reaching economic and
security consequences for the international community (“Cyber Security
Lacking”, 2008).
In
2010, the ten busiest international airports served over 400 million people
worldwide (Addison, 2010). As millions
of individuals transit the globe, a single lapse in security can put hundreds
or thousands of fellow passengers at risk.
The point of failure may be technology or often times it can result from
the human component (Swafford, 2011). The former Secretary of Homeland
Security Michael Chertoff aptly points out that “the impact of a cyber attack
could be far-reaching indeed, threatening multiple sectors of the economy at
once and creating cascading effects across interdependent systems and
operations” (2008, p. 480). While the
potential result of a cyber attack can be as significant as a physical attack,
safeguarding against the threat is not the same.
The Threat
On
June 29, 2011, the Common Use Passengers Processing System (CUPPS) at the
Indira Gandhi International (IGI) Airport failed. The system, which coordinates boarding gates,
check-in counters, and arrival times experienced a “back-end server glitch” and
had to be shut-down for 12 hours.
Although the episode appeared to be a normal technical failure,
investigators with the Indian Central Bureau of Investigation now believe the
incident was a deliberate cyber attack.
Even though the breach resulted in only 50 delayed flights, experts
familiar with the system say the attack was likely meant to bring down the
entire system. Initial investigations
found malicious code and serious security vulnerabilities that allowed the code
to be introduced (Kakkar, 2011).
“Of the many challenges facing the global
economy in the 21st century, one of the most complex and potentially
consequential is the threat of a large-scale cyber attack against shared
information technology and cyber infrastructure…”(Chertoff, 2008, p. 480). The US intelligence community has identified
cyber threats from a variety of groups.
Some nations, such as China and Russia, currently possess the capability
to disrupt information systems.
Terrorist groups like Al Qaeda and Hezbollah actively seek technical
knowledge and criminal elements have successfully employed cyber attacks with
increased sophistication. Given the
alarming increase in frequency and complexity stemming from cyber attacks, it
is little surprise that the previous two American presidents have made this
threat a priority. In 2011, the White
House published “The Comprehensive National Cybersecurity Initiative” which
listed as one of its initiatives, “…to build an approach to cyber defense
strategy that deters interference and attack in cyberspace by improving warning
capabilities, articulating roles for private sector and international partners,
and developing appropriate responses for both state and non-state actors.” The intelligence and law enforcement communities
are beginning to realize that traditional approaches to cybersecurity are
becoming ineffective and need to become more adaptive.
As
the world witnessed, the terror attacks in 2001 had far reaching economic and
security effects. Beyond the rigorous
security standards enacted for airline passengers, the incident caused a 20%
decrease in global air travel and pushed a number of airlines close to
bankruptcy (Blunk, Clark, McGibany, 2006).
If illicit organizations were able to compromise the safety of air
travel using cyber instead of physical attacks, the outcome could prove more
costly in lives, damage, and cost.
Proposal
The first step in building a secure organization is conducting a
threat or vulnerability assessment.
Hazards can be based on risks inherent to the group’s industry,
infrastructure model or region (Vacca, 2009).
In the days following the terrorist attacks in 2001, the airline
industry was identified as a critical infrastructure node. This assessment meant that airports were likely
terrorist targets based on the potential economic and security risks they
represented. Similarly, because
international airports are usually large organizations with many disparate
parts, this infrastructure model possesses a high risk potential. Lastly, international security standards are
not standardized across the globe.
“Turning the focus to international airports often increases security
threats largely due to the logistics involved and the dependency upon other
country’s security measures” (Swafford, 2011).
Once the risks and threats are established, organizations can then take
one of four steps: ignore, accept, transfer, or mitigate the risk (Vacca, 2009).
Because the safety of air travel cannot be effectively ignored,
accepted, or transferred, the security of airports can only be safely mitigated
with a variety of technical and personnel defenses.
As a country that possesses dozens of major international
airports, the United States’ Transportation Security Administration (TSA) is
keenly aware of the various potential points of failure inherent with airline
operations. The TSA identifies a number
of high-risk areas including “aircraft security, passenger screening, baggage
screening, credentials, and human behavior, with human behavior the distinct
largest threat” (Swafford, 2011). These major components of an airport’s
internal operations can be protected with three types of countermeasures:
technical, physical, and personnel.
According
to Valacich and Schneider, technology is used to protect information systems
through “physical access restrictions, firewalls, encryption, virus monitoring
and prevention, audit-control software, and secure data centers” (2012, p.
422). Physical access restrictions
around critical infrastructure nodes such as secure data centers or network
terminals must be established. In this
instance, technical solutions such as biometric authentication, key card
readers, and intrusion detection systems are critical. High priority systems throughout airports
such as ticket and credential validation should be protected with firewalls and
encryption. As AirTight discovered in
2008, international airports using legacy WEP encryption on their wireless
networks were easily compromised (“Cyber Security Lacking”, 2008). Software security is important but only if
the computer administrators properly maintain it. Virus monitoring and audit-control software
must be actively manned and continuously updated. Finally, critical infrastructure points like
airports must implement redundancy throughout their key systems should a
critical server fail.
In the modern era of airline travel, there is little physical
security that does not incorporate some aspect of technology. All hardware and software components of
information systems require physical security.
For example, threats to full body scanners include loss of power and
software defects. Emergency power
sources and environmental controls must be maintained in order for these
systems to remain fully operational.
Physical points of entry into critical internal areas are vital to the
operations of the facility. Security
apparatuses employ audio and video surveillance using telecommunications
equipment. These devices are deployed at
airport points of entry both as a deterrent and an identification tool.
As
with many information systems, the final and most important component in
airport security is personnel. Starting
with the management at international airports, organizations must employ “risk
analysis, supervision, and oversight of both personnel and IT systems” (Swafford, 2011). Whether through negligence or illicit
behavior, the human component of information systems is often the weakest. Managers and supervisors must remain vigilant
in their security oversight functions.
Those individuals entrusted with maintaining the security technology and
cybersecurity access within airports are often the first line of defense
against computer attacks.
Implementation
Executing
this approach possesses a number of obstacles.
Much like international air travel, the realm of cybersecurity crosses
the borders of sovereign nations as well as public and private
jurisdictions. As many IT professionals
have discovered, no single entity owns the internet or has overall
responsibility for its security.
Cooperation among nations and between government and commercial sectors
is a crucial component in enacting a comprehensive cybersecurity policy for the
international airline industry. Of equal
importance, implementation of this plan must not become a static activity. As the sophistication of technology continually
improves, security must keep pace with the entities that threaten the safety of
cyberspace and those who use it.
Coordination
across nation-states and between companies and government entities will not be
a quick or easy process. The cooperation
between these organizations will require an effort spanning years not weeks or
months. It will be necessary for both
public and private groups to develop a sense of urgency about the threats from
cyberspace and how their members can enact safeguards. As Chertoff points out, “everyone faces clear
security risks and consequences if the infrastructure is not adequately
protected” (2008).
As
the international community becomes more interconnected through cyberspace,
there is a common interest in protecting the shared domain. The impediment to instituting safeguards
however is the disparate structure of the internet. Most governments do not directly own the
hardware nodes that comprise the internet and many portions of the domain
reside in other countries. Moreover,
within many countries it is private not public entities that maintain the cyber
infrastructure. This realization means
organizations must work together to safeguard cyberspace. This must be done in such a way as to
maintain a secure yet convenient portal to the internet.
Finally,
it is critical that nations, companies, and individuals do not become
complacent in their handling of cybersecurity.
As technology advances and threats to cyberspace evolve on a continual
basis, so too must computer defenses.
System administrators like to assure passengers that critical systems
throughout airports are not connected to the internet. Alan Paller, director of research at the computer-security
organization SANS Institute, says this is a flawed argument. Often times, these ‘closed’ systems have
hidden maintenance connections that can be exploited by hackers (Addison,
2010). In a recent incident highlighting
the active threat cyber attacks pose, a computer virus dealt a serious blow to
the Iranian nuclear industry. In 2010,
the Stuxnet worm caused an unconfirmed amount of damage to Iran’s uranium
enrichment facility. The malicious
computer program which is designed to target the control infrastructure of
industrial systems allowed anonymous attackers to take over critical internal
controls at an Iranian nuclear site.
This worm “…could technically make factory boilers explode, destroy gas
pipelines or even cause a nuclear plant to malfunction (Addison, 2010). Given the intended purpose of this worm, it
is not a stretch to assume a similar attack could be programmed for an
airport. In fact the successor to the
Stuxnet worm, called Duqu, has already been identified by computer security
associates (Sullivan, 2011). Experts
estimate the worm is similar to Stuxnet in that it is designed to remotely take
control of internal controls and that the worm is in an intelligence gathering
phase. What security professionals have
not been able to determine however, is what the intended target of Duqu will
be.
Pros and Cons
The
greatest advantage to employing this proposal is the holistic approach it
offers. Organizations often rely heavily
on technology to secure critical infrastructure components. Although strong in one aspect, software or
hardware security can easily be defeated through personnel mistakes or physical
defects. By utilizing technical,
physical, and personnel safeguards in conjunction, organizations are able to
employ redundant means of security. The
proposal set forth in this paper advocates a comprehensive policy using
technology safeguards to enhance physical and personnel security measures.
The
major disadvantage to this approach is cost.
Securing any major infrastructure, such as an international airport,
involves a significant investment in both people and equipment. For fiscal year 2012 alone, the United
States’ Department of Homeland Security requested over $1 billion for
cybersecurity-related technologies (Montalbano, 2011). This figure represents a 10% increase from
the prior year, and the number is estimated to continue growing for the
foreseeable future. Iris scanning card
readers like the ones offered by Verified Identity Pass cost $150,000 each (Swafford, 2011). This is a pricey expenditure for many
countries, but the security offered by such a device must be considered to
ensure the collective safety of international travelers.
Conclusion
Cyberspace
is becoming an increasingly important component of the international
community. From banking and finance to
power and transportation, virtually every major part of the world’s
infrastructure touches the internet in some way. As a result of this shared importance, it has
become as essential to harden security around cyberspace as it is around physical
targets. To do this, cooperation among nations and between sectors is
crucial. A comprehensive approach to
security incorporating physical, technical, and personnel security provides a
robust cybersecurity solution. The
internet is not only an effective method to conduct business, but the medium
has become a convenient conduit for criminals, terrorists, and hackers
alike. “If
international air travel is to be safe then every country must work together in
order to achieve the common goal, which is the protection of human life and
their citizens” (Swafford, 2011).
References
Addison,
A. (2010). Airliners fly in face of cyberattack scares. Physorg. Retrieved from http://www.physorg.com/news/2010-11-airliners-cyber.html
Blunk,
S. S., Clark, D., McGibany, J. (2006). Evaluating the long-run impacts of the
9/11
terrorist
attacks on US domestic airline travel. Applied Economics, 38(4),
363-370. doi:10.1080/00036840500367930.
Chertoff,
M. (2008). The cybersecurity challenge. Regulation
& Governance, 2(4), 480-484. doi:10.1111/j.1748-5991.2008.00051.x
Cyber
security lacking at airports. (2008). Infosecurity. Retrieved from http://www.
infosecurity-magazine.com/view/1206/cyber-security-lacking-at-airports-/
Fildes,
J. (2011). Stuxnet virus targets and spread revealed. BBC News. Retrieved from http://www.bbc.co.uk/news/technology-12465688
Kakkar, M. (2011). CBI
believes cyberattack led to IGI airport's technical problems in June.
ZDNet. Retrieved from http://www.zdnet.com/blog/india/cbi-believes-cyber-attack-led-to-igi-airports-technical-problems-in-june/710
Montalbano,
E. (2011). Homeland security seeks cybersecurity funding. Information Week. Retrieved from http://www.informationweek.com/news/government/security/229218685
Sullivan, B. (2011). 'Son of Stuxnet'
virus could be used to attack critical computers worldwide. MSNBC. Retrieved from http://redtape.msnbc.msn.com
Swafford, S. (2011).
International airport cyber security challenges. Radical Development. Retrieved from http://radicaldevelopment.net/2011/06/29/international-airport-cyber-security-challenges/
Vacca,
J. R. (2009). Computer and information
security. Burlington, MA: Morgan Kaufman Publishers.
Valacich,
J. S., & Schneider, C. (2012). Information
systems today: Managing in the digital world (5th
ed.). Upper Saddle River, NJ: Prentice
Hall.
White House. (2011). The comprehensive national
cybersecurity initiative. Retrieved from http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf
No comments:
Post a Comment