CyberSecurity @ Airports

By


Paul is flying on an airplane from Bangkok to Hawaii. While the air hostess serves him a glass of champagne, Paul enjoys the calmness of the clouds around him. His flight is about to land in another 20 minutes. The pilot is communicating with the air traffic controller at the Hawaii airport. However, he is not able to connect to him. The traffic controllers are not responding back to him. Meanwhile, frantic calls are underway with the President and other top ministers. The decision is YES. Yes to pay to the hacker whose ransomware has crippled the entire system and thousands of lives are at stake.

If you feel that is fiction, it can be, but what is the guarantee that this cannot be a real scenario. In today’s age, everything is possible. We saw hospitals hacked in the UK through ransomware, metro rails displaying ransomware riddled messages, what’s stopping the airports or other critical infrastructure being hacked?

The Threat Quantum

Airports have always been highly targeted by malicious nation-state actors because they can result in high-profile disruption, casualties and damage a country’s reputation. But the threat quantum has increased exponentially with modern airports completely dependent on IT systems on their functioning. Modern airports are completely on emergent technologies such as the Internet of things (IoT), cloud and integrated systems for efficient, uninterrupted management of the logistical challenges. All of this interconnected technology also leads to an unwieldy multitude of new vulnerabilities and potential exploits that make airport cyber attack a very real risk today.

The US National Institute of Standards and Technology (NIST) categorizes the cyber-threats to airports into political or military, commercial espionage, disruption, and cybercrime. As a result, airport operators may face attempts to access physical security systems or access controls; disruptions on air bridge functions, air conditioning, heating, electrical systems, electronic signage, baggage systems, parking services, Wi-Fi networks or Distributed Denial of Service (DDoS) to make the airport’s online services unavailable. While in some cases, we have to respond to incidents, airports and other critical infrastructure when attacked do not give that luxury of taking time to respond. If the President of a country is flying and the airport is hacked, there may be little time for those who wish to take a decision on whether to pay for the ransom attack or not.

The Ongoing efforts 

The aviation sector and especially smart airports' cybersecurity have attracted researchers in recent years, as the incorporation of new innovative technologies and their available attack surface has been increased. Civil Air Navigation Services Organization (CANSO) developed a guide for increasing security level to Air Traffic Management (ATM), by presenting cyber threats and risks, as well as threat actors with their motives. CANSO proposed a model in order cybersecurity to be addressed, in combination with international standards, NIST Cybersecurity Framework, as well as a risk assessment methodology.

Although significant research has been presented regarding ATM cyber risks, there is a lack of research about threats and vulnerabilities for ground handling IT systems and airport services, especially when equipped with smart applications. From a hacker’s perspective, any vulnerability in any of the systems whether an IOT device or a CCTV or a raspberry pi computer connected to your network can act as a gateway to introduce malware into your systems. Conducting a drill which does not focus on considering all such misuse cases is not an effective drill irrespective of the number of times it has been conducted. Particular to airport cybersecurity, risks constantly change, as new threats and vulnerabilities evolve, along with ever-changing technology implementations. Hence, it is imperative to identify new misuse cases as soon as almost every day.

Airport security and cybersecurity are not new. Research and best practices have been published time and again on such aspects. “Help airports establish and/or maintain effective airport cybersecurity programs based on best practices” is the objective of the report published in 2015 called ACRP Report 140Guidebook on Best Practices for Airport Cybersecurity. The report is available at the link - http://onlinepubs.trb.org/Onlinepubs/webinars/151105.pdf. The European Union Agency for Network and Information Security (ENISA) has published its continuing work on communication network dependencies in industrial infrastructures, focusing on ICS/SCADA (Supervisory Control and Data Acquisition) systems and IoT infrastructures. In 2016, ENISA also published security guidance for smart airports, presenting key stakeholders, asset groups, threats, and risk analysis, best practices and security recommendations addressed to airport decision makers, policy-makers and industry stakeholders.

However, complete scenario based misuses cases in the current context of IOT, ransomware, smart devices, self-service kiosks as well as the upcoming 5G environment has not been published as of now. It’s high time we start building on such misuse cases as of now and evaluate the mitigation measures for them.

Singapore Changi’s airport is the ideal place to research and evaluate such misuse cases. They have shown the world how technology can be used in the best possible manner. They can also showcase it as the most secure implementation ever.

Current Challenges

While the discussion has been centered around IOT and ransomware attacks as they grab most of the headlines, understanding and evaluating the security at the airport is an extremely complex task. The physical security is something which is left to experts which consist of mostly people from the defense background. However, this panel of experts must contain representation from a defense cybersecurity expert even for a physical security point of view as physical security is also controlled through IT systems at various airports around the world. In a fully automated airport in the near future, machines evaluating and handling the entire movement of passengers would be full of challenges that need to be thought of as of today.

Here are a current set of challenges which most of the airports face as of today.

  • Dilapidated IT Infrastructure.
  • Undertrained staff
  • Limited cybersecurity awareness
  • Drills conducted for compliance purposes.
  • Vulnerable software implementation/legacy systems
  • Authorization misuse
  • No preparedness / under-preparedness to deal with cyber attacks.

Attack Scenarios and Mitigation Measures

This is focussed on the aspect of finding ways to introduce malware into the network systems of the airport or the aircraft. The attack scenarios do not focus on scenarios such as oil spillage, disgruntled employees, terrorist attacks, etc.

Tampering of self-servicing kiosks

If we think from the perspective of an attacker, it seems logical to go after the weakest link. This is a common methodology. Animals follow it while hunting, so why not human beings. Cybersecurity professionals and organizations often focus their entire energy on securing the most critical infrastructure while deeming the non-critical infra as not worthy of any security. Why would an attacker go through disabling your firewalls, IDS/IPS, elevating his authorization by hacking through the fingerprint database and avoid detection through several cloud-based platforms deployed for your critical servers?

The self-serving kiosks offer a wonderful opportunity to knock at your door. If you open the door, which you will, the attacker will enter cooly enter through it. These self-serving kiosks are often connected to some database servers which help in printing boarding passes for passengers. If the attacker is able to introduce a malware through a vendor who has come to service the kiosk or through a BYOD, half of his/her work is done. It then is a matter of time to exploit vulnerabilities in the DB server and so on.

Mitigation Measures - Such kiosks should never be on the same network. It’s best to keep them completely segregated and enabling only one-way communication through such devices.

Phishing attacks

Phishing attacks exploit the weaknesses of an individual. If I’m a cricket fan and I can get an email on the same, there is a 60-70% chance or maybe more,  that I would click on it. Attacking personnel with privileges makes sense for an attacker to enter into the network.

Mitigation - For extremely critical infra, dual authorization is the best method to prevent such attacks, in addition to, making people aware not to jump into the well all by themselves.

Vulnerable or unpatched systems/ operating systems

The UK hack of the hospitals showcased multiple systems running on outdated systems attacked by ransomware due to unpatched systems. A lot of airports run on such outdated or legacy systems which are yet to be patched. This will always be the case as the budgets will not be available for upgradation.

Mitigation measures - It’s time to build systems whose focus is security rather than just convenience. (Wish it could be so easy!!!)     

IOT and CCTV attacks

The main characteristic of smart airports is the networked, data-driven response capabilities through smart components and integrated IoT devices. Any smart device connected to the airport's network may support crucial key functions of interoperability between aircraft, airport administration, air traffic control, and other forms of communication.

The Mirae botnet showcased how easy it was to hack devices with built-in default usernames and passwords. The effectiveness of Mirai is due to its ability to infect thousands of these insecure devices and coordinate them to mount a DDoS attack against a chosen victim. Successful DDoS attack can result in either access denied for the legitimate users or system’s inability to distinguish legitimate users from fake ones.

Mitigation - Defense in depth measures. However, in my opinion, the best way is to have a red team ( any color team) identify and perform such attacks to enable authorities to understand the variety of attacks that can take place.

Access Control Attacks / IAM corruption

What if unauthorized individuals gain access to airports? IAM software generally validates and manage access control. If a vulnerability in the IAM software enables an attacker to corrupt the database and render the building management system useless, it could have devastating attacks. Is the IAM software the only way to tamper access? Disgruntled employees, contractors or business associates having in possession access credentials may also misuse their authorization privileges and act as insider threat, aiming to steal information for personal gain or to benefit another organization.

Mitigation: Effective user access management should be in place for granting and revoking access to all information systems and services. In addition, the use of utility programs that might be able to override the system and application controls shall be restricted and tightly controlled. A variety of countermeasures are also necessary, including data encryption and antimalware, in order to mitigate such attack’s impacts.

The Party has just begun

If you feel that this is exhausting, it’s just the beginning. It’s imperative that such complex problems are thought while designing future airports. Attack vectors have always been there from time immemorial. The scope, threat actors and impact have changed over time. Thinking about such misuse cases and being ready for them through awareness, business continuity plans, and simulation drills is the key to being safe, secure and ready to face all challenges ahead.

What are your thoughts on cybersecurity at airports? Which airport do you consider as one of the cyber secure airports around the world?

Image by Michael Gaida, Pixabay

Comments

  1. Dat TranAugust 4, 2019 at 2:35 PM

    Thanks, really usefull

    ReplyDelete
  2. Anjan kumar SinhaAugust 13, 2019 at 10:08 AM

    thks , its true and useful... I too am researching on same... create awareness,thats the clue.

    ReplyDelete

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...