Nearly all of the major airports in the US declined to answer our questions on the state of information security in airports, including a few quasi-governmental organizations in charge of facilities in several major metropolitan areas. As for the airlines, or current Department of Homeland Security (DHS) personnel – they were also less than helpful.
If Pollyanna were president, and sugary gum drops fell from the sky like rain, then perhaps all of the clandestine conduct of airport security would be unnecessary. But, regrettably, this is not the world we live in, as the history of human events has revealed.
Examining the state of information security at airports reveals a patchwork system of interconnected parts working together to address network security and – ultimately – passenger safety. Furthermore, the diverse structure and ownership of individual aviation facilities brings about challenges in IT security, as each venue varies in composition and often requires unique solutions.
The Amish Quilt of Aviation Information
IT security of air traffic control systems is the sole responsibility of the Federal Aviation Administration (FAA). Individual airlines maintain passenger lists and the information systems on which they lie. Intelligence information, such as the no-fly list, is the duty of the Transportation Security Administration (TSA).
This should hardly come as a shock to anyone, as each organization – even in a cooperative environment – is typically responsibility for maintaining their own data and network security. The airport, however, provides a unique setting where each constituent’s security procedures must work in concert to achieve the system’s chief objective – to safely deliver passengers from one point to another.
The TSA and its employees are perhaps the most visible of all the security layers at US airports, and Patricia Titus may have the most unique perspective on the agency’s efforts to safeguard America’s transportation facilities, as well as the agency’s information. You see, prior to assuming her position as chief information security officer of Unisys Federal Systems, Titus was the first CISO of the then-fledgling TSA.
At a typical, large international airport, several federal agencies are present, including the DHS, Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), TSA, and sometimes even the Department of Agriculture (USDA).
“There are several agencies that will be represented, and in some instances you will have contractors providing screening”, Titus said. “We used to say at TSA that if you’ve seen one airport, then you’ve [only] seen one airport”.
| "I don’t think it makes a difference if you’re in transportation security, critical infrastructure, or a tire shop around the corner, everybody’s got somebody wanting to get information out of their systems. Everybody’s systems are under attack constantly" |
| Patricia Titus, Unisys Federal Systems |
To further complicate the situation, many airports are privately owned, whereas others are owned by private citizens, and some are maintained by state and local governments. The lack of uniform architecture, both in the physical and technical sense, means that nearly every airport will have site-specific arrangements when it comes to network ownership, contracts, maintenance, and the list goes on. In Titus’ assessment, there is a “healthy mix” of all types across the country.
“Some are historical structures, so that makes it difficult when you’re putting IT in, like maybe you want to enhance cameras and hang things from the ceilings”, she adds. There are many historical preservation regulations at play in buildings like these across the nation, and as Titus admits, “you have to get a little creative” in these facilities.
Another obstacle arises in that there are many different IT infrastructures in play depending on the airport type, location, ownership, and existing contracts. If federal and TSA standards, including encryption, are met by the local airport systems, then the TSA contracts out the use of their network cables.
“If they could support us, the TSA would contract with the local airports”, recalls Titus. “If their services didn’t meet our specs and standards, we actually put in our local area networks and cables. Each airport was a little different that way.”
As for the actual IT systems, the TSA uses solutions implemented within the federal information security guidelines, or FISMA. “It was done in a cookie-cutter standup”, says Titus. “We configured a package that would go into the airport using the NIST framework. We would harden our infrastructure and created baseline images. They were all deployed in a standard fashion.”
The type of information the agency protects includes anything that goes over TSA systems during a typical day, including emails, daily operational data, security-sensitive information, law enforcement-sensitive information (all unclassified), in addition to classified communications. Part of Titus’ program responsibility while serving as CISO of the TSA required close cooperation with the Office of Intelligence to ensure that federal security directors had access to necessary information.
Having been at the TSA in 2002, when the agency was just coming together, Titus saw the information network take shape from its infancy. And because the TSA oversees security of more than just airports, Titus says the agency’s information networks were really a “hub-and-spoke environment, which allowed us to have a central point to do data decryption [and] inspection, so that we didn’t promote viruses, worms, or malware. We could contain it, sanitize the data, send it on, and take any anomalous packets out of play.”
“The beauty of the way we developed the network was it allowed us to have a central location where data would come into.” However, Titus admits that the system infrastructure has likely changed since she left TSA, but insists that good security controls were in place during her time, and the people currently in charge of information protection at the agency have likely increased security.
“Guards, gates, and guns”
Information systems employed by the FAA are another component of the airport information system collage. As far back as 1997, security experts advised the US government about the vulnerability of computer security in the aviation sector, especially the systems maintained by the FAA.
During an international conference on aviation security in Washington, Peter Neumann – a principal scientist at SRI International’s computer science laboratory – warned that the complex systems associated with air traffic control were of particular concern. “Significant problems have arisen in computer-communication systems for air-traffic control”, Neumann cautioned. These problems, while not unique to the aviation industry, are part of a long history of “fiascos” that he cited “in attempts to develop large infrastructural computer-communications systems, which are increasingly dominated by their software complexity”.
The report that Neumann delivered more than a decade ago is mainly prophetic. Targets, in his opinion, included both physical and network assets, and could come in the form of terrorists, sabotage, and, in what was all-too-eerie a prediction, coordinated attacks. His chief concern was that the increased use of the internet made for an easy and inexpensive way to conduct terrorism in the aviation sector, perhaps far easier than planning physical attacks.
No doubt the FAA has come a long way in beefing up security on its networks, given that more than a decade has passed since this first sobering assessment. And with all of the Homeland Security funds doled out in the wake of the 9/11 terrorist attacks, coupled with advancements in security technology and intrusion prevention, air traffic control systems are likely more secure than ever before. That does not mean, however, that the FAA’s security needs have been fulfilled, as hackers both with and without terrorist intent continue to poke for holes in the agency’s information systems.
This fact became glaringly clear after a 2009 audit by the Department of Transportation Inspector General and its subsequent report on the state of web application security and intrusion detection being employed by the FAA. It said that more than 800 computer-security related incidents were reported to the FAA in 2008, and in 2009 in excess of 45 000 employee records were stolen when hackers broke into an FAA computer server.
The report called to task the FAA’s lack of intrusion detection system (IDS) capabilities at 734 air traffic control facilities across the nation, in addition to dozens of insecure web applications being used by aviation authorities.
| "Intrusion detection is important, it’s nice, but it’s kind of late. The bad guys are inside the fence at that point" |
| Charles Palmer, IBM |
During the audit, penetration testers employed by the Inspector General found 763 high-risk vulnerabilities among 70 applications tested, not to mention the hundreds upon thousands of medium and low-risk vulnerabilities.
The report concludes that vulnerabilities in these web-based applications, widely used across FAA locations, could be used to infect FAA networks and, once infected, “FAA user computers would take orders from hackers to attack other computers or send critical network information to hackers.”
Excluding remote sites, the FAA has 734 air traffic control facilities throughout the nation. What the audit found was that only 11 of these sites employed active IDS sensors, which prompted the Inspector General’s report to characterize the FAA’s detection capabilities as “inadequate”.
The conclusions of the report are, to say the very least, alarming from a security perspective: “Without effectively deploying IDS monitoring capability at ATC [air traffic control] facilities, FAA cannot be fully aware of potential cyber attacks on ATC systems”. The report goes on to add that because IDS monitoring is not widely deployed, and therefore incidents go unresolved, the FAA leaves unsecured computers on its network, which “increases the risk of further attacks on ATC systems”.
When approached to provide an update on the FAA’s response to the report, an agency spokesperson said that the FAA is continuously working to improve on its network monitoring and IDS capabilities. The FAA declined to release any statistics on the number of IDS devices it currently employs, calling it sensitive information. A perplexing response since this same figure was published just over a year ago in the Inspector General’s report.
When asked about the dearth of IDS deployed by the FAA throughout its locations, Matthew Wood, chief scientist with Solera Networks was shocked by the numbers. “In my mind, it’s like not having a firewall, or not having an IT staff,” he says.
“In today’s environment, even if you question the effectiveness of IDS, it’s something that really should be a standard component of effective network security”, adds Alan Hall, chief of marketing’ at Solera. “We can’t protect against everything, but just because we can’t it doesn’t mean we shouldn’t be protecting against things we do know about”.
An IDS system produces tons of data, gathering information about potential malicious activity. “What you are essentially doing is creating work for extremely skilled resources”, says Rush Carskadden, IPS product line manager for Cisco.
He believes that tight budgets and the critical nature of its mission create a balancing act for the FAA to maintain between monitoring and enforcement. “They don’t have the resources necessary to really devote themselves to dealing with the data they receive from an IDS system”, Carskadden says, and on the enforcement side, its passenger safety that must come first. “There is a stigma that if you put a security system in line and enable it to take action, the real fear there is what if it’s wrong. What if we interrupt a critical transaction because it looked like malicious activity?”
Even though the FAA has hundreds of sites labeled as vulnerable by the Inspector General, Carskadden does not believe the price of widespread IDS deployment to be prohibitive. The up-front costs, in his view, would be “entirely manageable”. The real cost comes in terms of maintaining 24/7 analysis of the system over its lifetime and staff required to interpret the data streaming from the IDS.
Solera’s chief scientist says the lack of IDS used by the FAA means the agency is just one tool short in what he calls a Swiss-army knife of network forensics capabilities. Widespread IDS coverage at these so-called vulnerable facilities would not necessarily thwart an attack Wood assures, but it is nonetheless a vital component of sound security. “A firewall doesn’t always protect you, and an IDS doesn’t always protect you”, Woods exclaims. “But they are going to help you a lot more than if you don’t have them”.
Wood, who is himself also a pilot, says he “sees first-hand every day just how fragile our air traffic control system is. There is already enough chaos involved and when you throw the possibility for external attacks into the mix, or air traffic control disruption, the prospect is very scary.”
In late March, IBM announced a joint research venture with the FAA whereby Big Blue would develop a “first-of-its-kind” prototype security system to accommodate the FAA’s networks and safeguard the nation’s civilian aviation system from future cyberattacks.
“A lot of [the] time, researchers get really excited when they talk to real customers and work on real problems”, says Charles Palmer head of IBM’s Institute for Advanced Security.
The man who founded IBM’s ethical hacking team 15 years ago is also the associate director of computer science at the company’s Watson Research Center in upstate New York. Palmer also serves as senior technical advisor to the Institute for Information Infrastructure Protection (I3P) at Dartmouth College, where he does cybersecurity research for the US government.
Palmer admits that when a customer like the FAA approaches, “they’ve got some real challenges”, adding that the FAA has emerged as a leader in transportation with respect to addressing internet-based threats. So what IBM hopes to provide is an analytical system that correlates both historical and real-time data to identify current and emerging threats across the system. This cross-correlation of data aims to provide threat detection capability throughout all FAA facilities, regardless of location.
“The whole purpose of this project is to build a prototype of a system that can actually keep up with the scale of the amount of information they [FAA] have”, Palmer reveals. “You don’t quite get away from guards, gates and guns, but you certainly have more and more digital, internet-based aviation control systems.”
Confronting the Challenges
Like any good IT security program, especially those tasked with maintaining federal government systems, Unisys’ Titus tells Infosecurity that real-time monitoring of threats and ongoing penetration testing are the norm at TSA.
The former CISO of the TSA also articulates, not surprisingly, that the nature of threats facing the agency’s systems is identical to those encountered by security teams at any organization. “Advanced persistent threats, human error – I think everyone suffers from those same treats”, Titus asserts.
“I don’t think it makes a difference if you’re in transportation security, critical infrastructure, or a tire shop around the corner, everybody’s got somebody wanting to get information out of their systems. Everybody’s systems are under attack constantly.”
IBM’s Palmer agrees with this assessment of the current threat landscape. “The FAA probably has some interesting things to learn [about] if you are a bad guy”, he says half-jokingly. The scale of its networks, encompassing hundreds of airports nationwide, is a daunting task that provides many vulnerability points according to Palmer.
He adds that the FAA, like most organizations, is attempting to leverage the internet for its resilience and connectivity to relay its civilian aviation information as quickly and securely as possible. “Anything can be vulnerable to a weakness”, he says. “What they are particularly concerned about is denial of service and modification of data, and advanced persistent threats like those that affected Google”.
It is somewhat refreshing, perhaps even reassuring, to see organizations like the FAA taking steps to anticipate future threats rather than employing the reactionary ‘shoes-off’ approach to security that is ingrained into much of transportation sector in the US.
Initiatives such as the joint IBM-FAA collaboration that employ predictive analytics to get ahead of the curve wherever possible may be the most forward-thinking response to defending networks that are constantly under attack. As Palmer quips: “Intrusion detection is important, it’s nice, but it’s kind of late. The bad guys are inside the fence at that point.”
On an encouraging note, Titus confirms that reporting of security gaps and vulnerabilities at TSA was encouraged from the very top down, creating an atmosphere that values security. “Our administrator was very plugged in”, she confirms, “and I don’t think the program would have been as remotely as successful without that level of executive support”.
In recounting her stint as one of the pioneers of TSA’s information security structure, Titus couldn’t help but look back at that time with a feeling of exhilaration. “There was a huge sense of mission”, she reminisces.
Recalling sleepless, “crazy” nights helping to build a network for the ground up, Titus says: “We had a green field, so we were able to adapt all of those security standards from the beginning.”