State of Cybersecurity in U.S. Airports

Critical infrastructure operators, like airports, are attractive targets due to the many people, devices, and technology systems present. In the past decade, airports have exponentially increased their dependence on technology to manage processes, operations, and improve the passenger experience. The volume and variety of data are enticing as is the chance to cause social and economic chaos in a global transportation network by causing flight delays or stoppages and increased security responses. Air travel involves data transfer with many stakeholders, including the airlines, the passengers, origin and destination airports, credit card companies, and more, as well as customs and border protection for international travel.

To bring the reality of cyber-attacks home, SDI examines the following publicly-known cyber-attacks and simulated what impact a similar event would have on an airport environment. Along the way, the SDI Team also offers some preventive actions to take to mitigate these potential risks:

Denial of Service (DoS) Distributed Denial of Service (DDoS)
  • Threat: Overtake a system’s resources so it cannot respond to service requests. These can bring a system to a halt and unable to function.
  • Location/Year: Estonia Cyberattack (2007)
  • Climate: Estonian authorities moved a Soviet Red Army memorial from the center of Tallinn to the outskirts of town; a position of much less prominence. Russians and ethnic-Russian Estonians believed the memorial represented the USSR’s victory over Nazism while ethnic Estonians believed the Red Army soldiers were not liberators, but occupiers, with the memorial seen as a painful symbol of long-time Soviet oppression.
  • Actor: Suspected Nation State actors, though only a single ethnic-Russian Estonian national was charged and convicted.
  • What Happened: All Estonian government, financial, and media online services knocked off-line by massive levels of internet traffic.
  • Impact: Citizens of Estonia could not get their money, government employees could not communicate with one another, and media outlets couldn’t deliver the news.
  • Potential Impact of a DDoS Event to an Airport: Airports rely on uptime and availability. A DDoS attack could disable ground traffic management systems or flight planning systems resulting in flight delays and cancellations. These attacks could also take down critical security systems thus threatening life safety or acting as cover for a physical terror attack.

Prevention:

  • Have a Disaster Recovery Plan tested and ready
  • Intrusion prevention systems (IPSes) with DDoS detection functionality.
  • Partner with a third-party protection service to monitor network traffic.
  • Use a web protection tool to handle application layer DoS attacks.
Man in the Middle (MiTM)
  • Threat: A cyber attacker intercepts, sends, and/or receives client-server communications. The attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
  • Location/Year: Europe (2015)
  • Climate: No identified triggering event
  • Actor: Cybercriminal Group (Europol arrested over 40 suspects mainly from Nigeria, Cameroon, and Spain).
  • What Happened: Through social engineering, the attackers planted the MiTM-enabling malware on targeted European companies’ networks to monitor communications. They were then able to detect customer email payment requests and redirected customers to send money to bank accounts under the criminals’ control. The group netted $6.8 million dollars in a short amount of time.
  • Impact: Corporate reputation damage, corporate loss of revenue (mitigation, fines, legal actions), customer loss of confidence, customer loss of data.
  • Potential Impact of a MiTM Event to an Airport: Cyber attackers hijack airport employees web sessions and steal login cookies allowing attackers to gain access to airport financial systems and redirect payments to other accounts. This type of attack could also allow attackers to gain access to critical security systems thus threatening life safety or acting as cover for a physical terror attack.

Prevention:

  • Cyber awareness for customers.
  • Have a Disaster Recovery Plan tested and ready
  • Intrusion detection systems (IDS).
  • Strong encryption mechanisms on wireless access points.
  • Use of virtual private networks (VPNs) for sensitive information within a local area network.
  • Force HTTPS to more securely communicate over the internet or with internal systems using a public-private key exchange.
  • Encrypt emails at rest and in transit through use of Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • Implement Certificate-Based Authentication.
Phishing
  • Threat:  Sending emails impersonating trusted sources. Users are tricked into providing credentials or installing ransomware, malware, or trojans.
  • Location/Year: Washington D.C. (2017)
  • Climate: No identified triggering event
  • Actor: Cybercriminal Group (five Romanians were charged).
  • What Happened: Through an email phishing attack, Romanian hackers sent spam emails infected with ransomware. They were able to take over two-thirds of the City’s outdoor surveillance cameras leaving them unable to record video. Video storage devices posted a Cerber Ransomware Notification requesting payment in order to release the systems and data. The attack occurred just eight days before the Presidential inauguration, setting off national security concerns.
  • Impact: The breach took three days to resolve. The system was unable to record video between January 12th and 15th while the City mitigated the issue. No ransom was ever paid. The inauguration took place on January 20th.
  • Impact of a Phishing Event to an Airport: Should video storage devices become infected with ransomware, an airport would be unable to use or record video without payment. Without recorded video, the airport is at a higher security risk until the attack is remediated. There may be direct financial impacts as well if the airport needs to staff areas with security personal until cameras and recording functionality is restored.

Prevention:

  • Cyber awareness training for employees to detect and identify phishing attacks.
  • Have a Disaster Recovery Plan tested and ready
  • Keep devices secure by ensuring security patches and updates get installed.
  • Configure applications to monitor for unusual account activity and notify administrators.
  • Implement email protection for advanced email filtering, email traffic scanning, attacker email threat protection, and email continuity.
SQL Injection (SQLi)
  • Threat: Attacker runs a SQL query through a database input field in an online form. Successful SQL injections can return sensitive data from a database, modify data, or execute administrative functions on a database.
  • Location/Year: British Telecom TalkTalk (2015)
  • Climate: No identified triggering event
  • Actor: A 19-year-old hacktivist.
  • What Happened: A SQLi attack grabbed the personal details of over 150,000 customers, including financial data for 15,000 of those customers.
  • Impact: Corporate reputation damage, corporate loss of revenue (mitigation, fines, legal actions), customer loss of confidence, . TalkTalk was assessed over $500,000 in fines for security failings.
  • Potential Impact of an SQLi Event to an Airport: A SQLi attack on the web portal for an airport ID Badging system could allow attackers access personally identifiable information (PII) contained in the ID Badging system.

Prevention:

  • Have a Disaster Recovery Plan tested and ready
  • Ensure all application code is designed and developed to meet security standards.
  • Audit and test systems regularly against these types of vulnerabilities.
  • Apply the Principle of Least Privilege: Users can only access or change the resources they need.
  • Implement password hashing (do not store unencrypted passwords in databases).
  • Implement vulnerability scanning.
  • Perform penetration testing.
Cross-Site Scripting (XSS)
  • Threat: XSS targets browsers. An attacker injects malicious scripts into a website’s database. This most commonly causes web session hijacking giving the attacker access to the user’s account. Additional vulnerabilities can give the user access to network information, machine access, keystrokes, and more.
  • Location/Year: eBay (2014):
  • Climate: No identified triggering event
  • Actor: Unknown Cybercriminal(s).
  • What Happened: Hackers exploited a common vulnerability to inject malicious JavaScript into item listings. Users clicking on the listing were taken to a look-alike eBay web page where their login credentials were stolen. These credentials were used to propagate more malicious code into additional listings. The data was also sold to other attackers.
  • Impact: Corporate reputation damage, corporate loss of revenue (mitigation, fines, legal actions), customer loss of confidence, customer loss of data. Note that eBay has had continued issues with attackers continuing to exploit XSS vulnerabilities to steal account credentials. eBay has also had to manage its reputation and negative feedback on its response to these security concerns.
  • Potential Impact of a Cross-Site Scripting Event to an Airport: In a potential nuisance attack on an airport, an attacker can use XSS to steal credentials to the airport signage system. All airport signs are reconfigured to display inappropriate messages.

Prevention:

  • Have a Disaster Recovery Plan tested and ready
  • Ensure all web application code is protected against XSS vulnerabilities.
  • Implement vulnerability scanning.
  • Perform web application testing on all apps.
  • Perform penetration testing.

As contemplated in these real-world scenarios applied to an airport environment, the reality of known cyberattack methods is real and can have wide-ranging impacts on an airport. The necessity for rigorous cyber programming in an airport now drives the question of how to equip airport operators with the breadth and the depth of the technology skillset required.

ABOUT SDI GUEST BLOGGER

Erin Manning is a Director of Learning at SDI Presence. A certified Project Management Professional (PMP) and Certified Information Security Manager (CISM), Erin is well versed in FAA/FAR/TSA Regulations with expertise in public safety and security systems. Erin has served as project manager on numerous aviation security projects including at O’Hare International Airport, Midway International Airport, Los Angeles World Airports, and Phoenix Sky Harbor.