CyberSecurity @ Airports



Paul is flying on an airplane from Bangkok to Hawaii. While the air hostess serves him a glass of champagne, Paul enjoys the calmness of the clouds around him. His flight is about to land in another 20 minutes. The pilot is communicating with the air traffic controller at the Hawaii airport. However, he is not able to connect to him. The traffic controllers are not responding back to him. Meanwhile, frantic calls are underway with the President and other top ministers. The decision is YES. Yes to pay to the hacker whose ransomware has crippled the entire system and thousands of lives are at stake.

If you feel that is fiction, it can be, but what is the guarantee that this cannot be a real scenario. In today’s age, everything is possible. We saw hospitals hacked in the UK through ransomware, metro rails displaying ransomware riddled messages, what’s stopping the airports or other critical infrastructure being hacked?

The Threat Quantum

Airports have always been highly targeted by malicious nation-state actors because they can result in high-profile disruption, casualties and damage a country’s reputation. But the threat quantum has increased exponentially with modern airports completely dependent on IT systems on their functioning. Modern airports are completely on emergent technologies such as the Internet of things (IoT), cloud and integrated systems for efficient, uninterrupted management of the logistical challenges. All of this interconnected technology also leads to an unwieldy multitude of new vulnerabilities and potential exploits that make airport cyber attack a very real risk today.

The US National Institute of Standards and Technology (NIST) categorizes the cyber-threats to airports into political or military, commercial espionage, disruption, and cybercrime. As a result, airport operators may face attempts to access physical security systems or access controls; disruptions on air bridge functions, air conditioning, heating, electrical systems, electronic signage, baggage systems, parking services, Wi-Fi networks or Distributed Denial of Service (DDoS) to make the airport’s online services unavailable. While in some cases, we have to respond to incidents, airports and other critical infrastructure when attacked do not give that luxury of taking time to respond. If the President of a country is flying and the airport is hacked, there may be little time for those who wish to take a decision on whether to pay for the ransom attack or not.

The Ongoing efforts 

The aviation sector and especially smart airports' cybersecurity have attracted researchers in recent years, as the incorporation of new innovative technologies and their available attack surface has been increased. Civil Air Navigation Services Organization (CANSO) developed a guide for increasing security level to Air Traffic Management (ATM), by presenting cyber threats and risks, as well as threat actors with their motives. CANSO proposed a model in order cybersecurity to be addressed, in combination with international standards, NIST Cybersecurity Framework, as well as a risk assessment methodology.

Although significant research has been presented regarding ATM cyber risks, there is a lack of research about threats and vulnerabilities for ground handling IT systems and airport services, especially when equipped with smart applications. From a hacker’s perspective, any vulnerability in any of the systems whether an IOT device or a CCTV or a raspberry pi computer connected to your network can act as a gateway to introduce malware into your systems. Conducting a drill which does not focus on considering all such misuse cases is not an effective drill irrespective of the number of times it has been conducted. Particular to airport cybersecurity, risks constantly change, as new threats and vulnerabilities evolve, along with ever-changing technology implementations. Hence, it is imperative to identify new misuse cases as soon as almost every day.

Airport security and cybersecurity are not new. Research and best practices have been published time and again on such aspects. “Help airports establish and/or maintain effective airport cybersecurity programs based on best practices” is the objective of the report published in 2015 called ACRP Report 140Guidebook on Best Practices for Airport Cybersecurity. The report is available at the link - http://onlinepubs.trb.org/Onlinepubs/webinars/151105.pdf. The European Union Agency for Network and Information Security (ENISA) has published its continuing work on communication network dependencies in industrial infrastructures, focusing on ICS/SCADA (Supervisory Control and Data Acquisition) systems and IoT infrastructures. In 2016, ENISA also published security guidance for smart airports, presenting key stakeholders, asset groups, threats, and risk analysis, best practices and security recommendations addressed to airport decision makers, policy-makers and industry stakeholders.

However, complete scenario based misuses cases in the current context of IOT, ransomware, smart devices, self-service kiosks as well as the upcoming 5G environment has not been published as of now. It’s high time we start building on such misuse cases as of now and evaluate the mitigation measures for them.

Singapore Changi’s airport is the ideal place to research and evaluate such misuse cases. They have shown the world how technology can be used in the best possible manner. They can also showcase it as the most secure implementation ever.

Current Challenges

While the discussion has been centered around IOT and ransomware attacks as they grab most of the headlines, understanding and evaluating the security at the airport is an extremely complex task. The physical security is something which is left to experts which consist of mostly people from the defense background. However, this panel of experts must contain representation from a defense cybersecurity expert even for a physical security point of view as physical security is also controlled through IT systems at various airports around the world. In a fully automated airport in the near future, machines evaluating and handling the entire movement of passengers would be full of challenges that need to be thought of as of today.

Here are a current set of challenges which most of the airports face as of today.

  • Dilapidated IT Infrastructure.
  • Undertrained staff
  • Limited cybersecurity awareness
  • Drills conducted for compliance purposes.
  • Vulnerable software implementation/legacy systems
  • Authorization misuse
  • No preparedness / under-preparedness to deal with cyber attacks.

Attack Scenarios and Mitigation Measures

This is focussed on the aspect of finding ways to introduce malware into the network systems of the airport or the aircraft. The attack scenarios do not focus on scenarios such as oil spillage, disgruntled employees, terrorist attacks, etc.

Tampering of self-servicing kiosks

If we think from the perspective of an attacker, it seems logical to go after the weakest link. This is a common methodology. Animals follow it while hunting, so why not human beings. Cybersecurity professionals and organizations often focus their entire energy on securing the most critical infrastructure while deeming the non-critical infra as not worthy of any security. Why would an attacker go through disabling your firewalls, IDS/IPS, elevating his authorization by hacking through the fingerprint database and avoid detection through several cloud-based platforms deployed for your critical servers?

The self-serving kiosks offer a wonderful opportunity to knock at your door. If you open the door, which you will, the attacker will enter cooly enter through it. These self-serving kiosks are often connected to some database servers which help in printing boarding passes for passengers. If the attacker is able to introduce a malware through a vendor who has come to service the kiosk or through a BYOD, half of his/her work is done. It then is a matter of time to exploit vulnerabilities in the DB server and so on.

Mitigation Measures - Such kiosks should never be on the same network. It’s best to keep them completely segregated and enabling only one-way communication through such devices.

Phishing attacks

Phishing attacks exploit the weaknesses of an individual. If I’m a cricket fan and I can get an email on the same, there is a 60-70% chance or maybe more,  that I would click on it. Attacking personnel with privileges makes sense for an attacker to enter into the network.

Mitigation - For extremely critical infra, dual authorization is the best method to prevent such attacks, in addition to, making people aware not to jump into the well all by themselves.

Vulnerable or unpatched systems/ operating systems

The UK hack of the hospitals showcased multiple systems running on outdated systems attacked by ransomware due to unpatched systems. A lot of airports run on such outdated or legacy systems which are yet to be patched. This will always be the case as the budgets will not be available for upgradation.

Mitigation measures - It’s time to build systems whose focus is security rather than just convenience. (Wish it could be so easy!!!)     

IOT and CCTV attacks

The main characteristic of smart airports is the networked, data-driven response capabilities through smart components and integrated IoT devices. Any smart device connected to the airport's network may support crucial key functions of interoperability between aircraft, airport administration, air traffic control, and other forms of communication.

The Mirae botnet showcased how easy it was to hack devices with built-in default usernames and passwords. The effectiveness of Mirai is due to its ability to infect thousands of these insecure devices and coordinate them to mount a DDoS attack against a chosen victim. Successful DDoS attack can result in either access denied for the legitimate users or system’s inability to distinguish legitimate users from fake ones.

Mitigation - Defense in depth measures. However, in my opinion, the best way is to have a red team ( any color team) identify and perform such attacks to enable authorities to understand the variety of attacks that can take place.

Access Control Attacks / IAM corruption

What if unauthorized individuals gain access to airports? IAM software generally validates and manage access control. If a vulnerability in the IAM software enables an attacker to corrupt the database and render the building management system useless, it could have devastating attacks. Is the IAM software the only way to tamper access? Disgruntled employees, contractors or business associates having in possession access credentials may also misuse their authorization privileges and act as insider threat, aiming to steal information for personal gain or to benefit another organization.

Mitigation: Effective user access management should be in place for granting and revoking access to all information systems and services. In addition, the use of utility programs that might be able to override the system and application controls shall be restricted and tightly controlled. A variety of countermeasures are also necessary, including data encryption and antimalware, in order to mitigate such attack’s impacts.

The Party has just begun

If you feel that this is exhausting, it’s just the beginning. It’s imperative that such complex problems are thought while designing future airports. Attack vectors have always been there from time immemorial. The scope, threat actors and impact have changed over time. Thinking about such misuse cases and being ready for them through awareness, business continuity plans, and simulation drills is the key to being safe, secure and ready to face all challenges ahead.

What are your thoughts on cybersecurity at airports? Which airport do you consider as one of the cyber secure airports around the world?

Image by Michael Gaida, Pixabay

Comments

Dat Tran said…
Thanks, really usefull
Anjan kumar Sinha said…
thks , its true and useful... I too am researching on same... create awareness,thats the clue.

You may also like to read...

How to Pass the CISSP Exam in First Attempt

The CISSP CAT Exam Experience

How to Pass SSCP Exam in the First Attempt