Guidebook on Best Practices for Airport Cybersecurity (2015)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

20 The initial step to reduce cybersecurity risk is to identify the cyber threats that airports face and the data and systems that may be vulnerable to such threats. The next step is to protect those data and systems by implementing countermeasures that reduce the likelihood of a successful attack. This chapter provides details on some of the most important countermeasures and where within the airport environment they should be implemented. Few organizations can implement all the necessary countermeasures at one time. Even if this were possible, a phased approach that addresses the highest priority vulnerabilities first is advisable. This priority should be established by assessing the likelihood of the vulnerabilities identified and the degree of impact a successful attack may have. Once countermeasures are implemented, the job is not done. New systems are being imple- mented at airports at an increasing frequency; new threats arise daily; and countermeasures are rapidly evolving. This environment necessitates an ongoing, flexible, and adaptable approach to vulnerability assessment and countermeasure implementation. The sections that follow provide details on how to implement countermeasures to address common airport vulnerabilities. Airport Systems Most people are aware that cybersecurity affects traditional IT infrastructure such as desktop computers and servers as well as network devices such as routers and switches. Not as apparent are ICS that also can be vulnerable to cyberattack regardless of whether they are connected to the Internet. Wi-Fi networks used for public access to the Internet or secure airport operations also introduce unique vulnerabilities. Furthermore, airports are becoming increasingly reliant on the growing number of IT services that are in the “cloud,” i.e., based within a third party data center that is accessed via the Internet. Airports, the FAA, and airlines are also increasingly reliant on GPS for operational safety and efficiency. Important cybersecurity considerations of these four domains of airport systems are discussed in the following subsections. Airport managers and staff—but also the external service providers who install, configure, operate, and maintain these systems—should review the countermeasures that are specific to the systems they implement. The software and data processes on these systems should also be sufficiently backed up and offer redundant capabilities, especially when they support mission-critical functions. IT Infrastructure Many are under the incorrect impression that, if IT infrastructure is not directly connected to the Internet, it is not vulnerable to attack. This perception is refuted by successful attacks that were initiated via portable storage devices such as USB drives, radio or infrared remote control devices, exposed connections to closed networks, and other non-Internet-based vectors. C H A P T E R 4 Implementing Countermeasures

Implementing Countermeasures 21 While malware and virus attacks often manifest themselves on end points, they are carried, often stopped, and sometimes found on network devices. Some of the primary countermeasures that airports can take to protect their IT networks are as follows: Physical protection should be implemented to prevent criminals from gaining access to ports, cabling, and wireless devices. Within an airport, IT network infrastructure should not be accessible to passengers, the public, or airline and tenant personnel who have not been screened and perhaps badged by airport security staff. This means that this infrastructure should be installed in secure areas protected by access control devices, alarms, and, in some areas, closed circuit television (CCTV) cameras. Architects, design consultants, and construction contractors should be made aware of these requirements in bid packages, contracts, and specifications. If SSI is present in these documents, they should be labeled appropriately and circulated only to those who know their responsibility. Commissioning of the infrastructure should include checks to ensure that the proper physical security has been applied to protect network infrastructure. This will typically require support from IT personnel who are familiar with the topology (i.e., location and routing) of this equipment. More information on this physical protection can be found in countermeasures PE-1, -2, -3, -4, -6, -7, -8, -9 (Joint Task Force Transformation Initiative 2012), which are described in Appendix C. Closing ports is a way to halt some unauthorized internal and external data communications before it reaches a host system. Many applications rely on communications over specific ports (e.g., unsecured web traffic travels over ports 80 and 8080). Only ports that are required for authorized data communication over that branch of a network should be opened. This requires, as a part of the procurement process and software assurance process, that vendors identify required ports and that IT staff review these requirements before systems and applications are procured. Switching critical data communications to non-standard ports, if possible without affecting the functionality of the system or application being installed, is an added measure that may curtail attack vectors that target standard ports. Malware-detecting hardware and software can continuously monitor network traffic to identify known threats and/or anomalous activity, quarantine affected or at-risk systems, and alert personnel before the threat manifests itself in the network and eventually causes harm. As cyber- security actors, threats, and vectors become more advanced and numerous, so have malware detection options. Many third party vendors offer solutions that range widely in price. Some of the more sophisticated options and services may only be feasible for larger airports, but there are also less expensive options that can meet the needs of smaller airports. Backups of system and data resources should be periodically and automatically prepared. Backups should be made before replicating the changes made since the last backup exceeds the cost of preparing a new backup. Because maintaining data can be laborious and therefore costly and the marginal cost of an additional backup is typically minimal, nightly backups are often commonplace. Virtual computing technology also allows full computers (i.e., operating system, installed software, and data) to be easily backed up and to quickly be brought online if an issue occurs. The media on which data and system backups are stored should be kept in a location that is secure from unauthorized access and physical damage by fire, flood, or other disaster. Redundant capabilities should be designed into the architecture of mission-critical systems. As with backups, the cost of a system’s capabilities not being available for a period of time should be weighed against the cost of deploying redundant capabilities that can be accessed should the primary system fall victim to a cybersecurity attack. Many other countermeasures can be implemented to protect IT network infrastructure. The Access Control, Physical & Environmental Protection, and System & Communications Protection countermeasure types listed in Appendix C are the primary ones for airports to consider and prioritize, although other categories offer countermeasures that may also help.

22 Guidebook on Best Practices for Airport Cybersecurity End-Point Systems End-point systems include desktop computers, laptops, and tablets, as well as personal devices such as smartphones. Within an airport environment, FIDS, a tenant or an airport’s POS devices such as parking payment machines, electronic kiosks, and visual paging devices can be considered end-point systems. Protecting these end-point systems requires an understanding of their various components. First, there is the hardware itself. Next, there may be a basic input/output system (BIOS) or other types of firmware installed onto a chip within the system to control its basic functions. End-point systems also typically have an operating system to control more advanced functions. Applications are then installed that work with the operating system to provide functionality to users. These applications often rely on internal, or magnetic, or solid-state storage to store user data. Finally, there are input and output terminals on the system that allow data to be exchanged via a network or removable storage device. All of these components can be vulnerable to cyberattack and therefore must be adequately protected by implementing appropriate countermeasures. Many organizations require end-point systems to have certain countermeasures in place before they are permitted to connect to the network. This requirement may be enforced by policies, procedures, and perhaps agreements between the airport and end users. These measures may also be automatically enforced by a network server or gateway host. If these requirements are not met, the machine may be isolated or virtually disconnected from the network (Rouse 2011). Some of the key countermeasures to consider when protecting end-point systems follow: Physical protection, meaning establishing tangible barriers such as walls, doors, and locks, should be implemented to protect end-point systems from unauthorized access. This includes keep- ing critical systems, data storage media, and network infrastructure within secured areas. It also includes securing devices in publicly accessible areas and protecting access to their ports and controls. BIOS, firmware, and operating systems should be updated to ensure that they have the latest protection prescribed by their vendors. Small, incremental updates that often address a specific issue are referred to as patches. The process of learning about and installing patches and updates can be complex and should be handled by qualified IT personnel. A patch management pro- gram is recommended and the responsibility to identify and install patches should be assigned to individual(s) within the IT department. Antivirus and malware detection software should be installed on end-point computers to detect, prevent, and remove malware before it is installed. Consultants and contractors should be required to have a certain level of malware detection software on the computers they connect to the airport’s network, if such privileges are granted. All malware detection software should be kept up to date so that the latest protective measures are implemented. Software assurance processes should be established to ensure that all software installed on end-point systems employs a minimum level of countermeasures. The software assurance process is described in more detail later in this guidebook. Legacy code should be eliminated or accounted for and tracked. Many critical systems rely on software that includes older, i.e., legacy, code that was “secure at launch [but is] likely riddled with security holes today” (Marfatia 2014). As code or portions of it become inactive, that code should be removed from the application or system. If the code is still needed, it should be identified in the inventory of applications described previously. This will allow IT personnel to quickly identify attacks that target older systems. It will also support business decisions on where and when to invest in specific software upgrades. Disabling USB ports is a step several airports have taken to prevent the easy introduction of malware and theft of data. While this layer of protection can be beneficial from a cybersecurity

Implementing Countermeasures 23 perspective, it does create an inconvenience to users, which should be considered as USB devices have become a common way of exchanging data. VPN software should be used to limit access within the airport’s network when authorized users log in remotely. This limits the ability of attackers or malware to gain access to the air- port’s network by using the remote user’s device as a conduit; however, this does not protect against malware that has already installed itself on the user’s device, which is why virus or mal- ware software should be installed on all end-point computers that have access to an airport’s non-public network. A wide variety of additional countermeasures can be employed to protect end-point systems. It is recommended that the System & Information Integrity and System & Communications Protection categories in Appendix C be reviewed for countermeasures that may be relevant to a particular airport. Industrial Control Systems ICS are systems used to monitor and control various systems such as airfield lighting, baggage handling, HVAC, and utility metering. SCADA, BCS, process control, industrial automation, and energy management systems are all categories of ICS that meet specific needs (Byres 2012). The majority of respondents [28 of 38 (74%) who answered the question] to the survey conducted for this project report that their organization uses ICS. These types of devices increasingly rely on computer and network technology to collect data, analyze the information received, and react with corrective action. Many respondents [12 of 26 (46%) who answered the question] report that their ICS are connected to the Internet. ICS, however, can also be vulnerable even if they are not connected to the Internet. Non- Internet attack vectors to ICS include removable storage used to update the firmware or applications on an ICS, compromise of sensors or communication cables linking sensors to control devices, remote control devices, and unprotected physical access to ports. ICS are also becoming increasingly interconnected and interdependent with other airport information systems, which may introduce additional vectors of attack. Because of this interconnectivity, these devices are exposed to similar vulnerabilities as computers and network devices. ICS and SCADA systems, however, also introduce additional vulnerabilities. The nature of their design requires distrib- uted sensors and actuators that introduce vulnerabilities at these end points as well as along the conduit that leads to them. Unfortunately, malware detection software for SCADA systems is in its early stages, so the vulnerabilities of these systems are more acute. Distributed control systems (DCS) rely on control components spread throughout key nodes in an ICS network, such as a power distribution system. Other systems rely on programmable logic controllers (PLCs) or programmable automation controllers (PACs). These components are digital computers used for automation of typically industrial electromechanical processes, such as control of machinery or light fixtures. These logical units can be programmed to per- form a variety of functions and report back to a common control system. PLCs and PACs can introduce vulnerabilities into an ICS because they are programmable and often lack the security features of authentication and physical protection that traditional IT computers include. In the past, these devices were considered embedded controllers and rarely communicated beyond their local system. Like almost all systems, they have grown in complexity and functionality and their vulnerabilities have increased as a result. Many now include programming ports, external network or wireless access for upgrade, monitoring, or configuration. In some cases the PLC may be used as a downgraded device without disabling of the communications links, leaving a vulnerability.

24 Guidebook on Best Practices for Airport Cybersecurity The problem is that cybersecurity best practices and countermeasures commonly applied to IT infrastructure have not been applied to ICS, although many are applicable. This is partially because these devices are often not considered vectors of cybersecurity attack and are therefore not always protected. Furthermore, vulnerability assessments and penetration tests are often not conducted on ICS (Gopalakrishnan et al. 2013). Many ICS and SCADA devices are based on older technology that is an easier target of modern attacks. To compound the problem, a recent study conducted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that there is a lack of cybersecurity standards for protecting airport control systems (Kaiser 2012). The growth of threats and the lack of countermeasures applied to ICS have opened up vulner- abilities that need to be addressed. Figure 4 shows the relative frequency of common ICS vulner- abilities. Other ICS vulnerabilities include unsecured databases, poorly configured firewalls, and interconnected peer networks with weak security. Many of these vulnerabilities are common to IT systems. Some vulnerabilities that have been identified as unique to ICS include heavy reliance on proprietary network protocols, undocumented software versions, lack of configura- tion documentation, and system stability variations during the vulnerability tests assessment (Gopalakrishnan et al. 2013). The approach to implementing countermeasures to address ICS vulnerabilities is, at a high level, the same as that for traditional IT systems and network devices. The specific countermeasures that should be implemented may, however, differ. For example, many ICS devices that are accessible to the public require specific countermeasures to prevent unauthorized access or tampering. Others rely heavily on distributed sensors, which necessitates measures to protect the signals as they are transmitted to a central unit for analysis and action. An important challenge to consider when protecting ICS devices is that they have typically not been considered a cybersecurity threat and therefore often have little or no security features. IT departments often responsible for cybersecurity are not always informed about ICS device installations until connections to the network or other IT resources are required. In many cases, ICS components may be installed and operational long before any consideration of cybersecurity. To overcome this challenge, facility managers who are typically involved in the specification, procurement, installation, and maintenance of these systems should work closely with the CISO, as well as other IT managers and staff as applicable. Figure 4. Relative frequency of ICS vulnerabilities. Vulnerable Communication Protocols Lack of Input Validation Unpatched Systems Least Privileges Not Enforced Weak User Authentication Source: U.S. Department of Energy (2008).

Implementing Countermeasures 25 Recommended countermeasures for protecting the types of ICS devices found at airports include the following (adapted from Infrastructure Security and Energy Restoration Committee 2007): Limit connections to ICS so that only those that are needed are left open and those that are left open are properly secured. The very nature of ICS requires interconnectivity between dispersed sensors, control devices, control systems, and other components. This interconnectivity requires local and wide area network, wireless, Internet, or perhaps modem dial-up connections. This should include physical input/output ports on the components, as well as virtual ports that provide outside access to the network via firewalls. As a part of the inventory process, all required components, their connections, and protocols should be identified. Those that are not needed should be closed. Those that are needed should be secured using firewalls, de-militarized zones, intrusion detection systems (IDS), and other means. The goal should be to isolate the ICS as much as possible without limiting functionality. Disable services that are not required. Many ICS offer services such as automated meter reading, email notifications, and remote maintenance capabilities. These require network, and in some cases Internet, connections. As explained earlier, these connections can expose vulnerabilities. Services that are not required but are installed by default should be disabled. Enable protective features, which are often disabled by default to facilitate installation and maximize functionality. While older ICS may have few if any cybersecurity protective features, most modern ICS do. Unfortunately, malware detection software for SCADA systems is in its early stages. Conduct vulnerability and penetration tests on ICS as they are on IT networks. These tests should ensure that patches and updates have been applied, unused connections and services are disabled, and required functions are properly secured. Because ICS components are geographi- cally diverse, a physical scan of all components should also be conducted to ensure that they are not accessible. Involve multiple stakeholders, including vendors, installers, users, and affected stakeholders, in a review of possible attack scenarios and the impact such attacks may have. This information along with the results of vulnerability and penetration tests will help prioritize the implementation of countermeasures to protect ICS components. Penetration testing is not rec- ommended on ICS operating in a production environment due to the disruptions that can result (Dugan et al. 2005). Such tests can be performed prior to commissioning and operations or by tapping resources such as the National SCADA Test Bed (U.S. Department of Energy 2014). Train facilities, as well as IT personnel, on the importance of protecting ICS from cyber- attack so that they are aware of and can accommodate proper countermeasures as a part of the selection and implementation of ICS. Staff and consultants who have access to data or components related to ICS should be aware of the sensitive nature of that information and protect it accordingly. As a matter of policy, all managers and staff responsible for ICS should be required to consult with the airport’s CISO or designated IT staff member before the systems are procured and installed. Include ICS in the inventory of systems that may be vulnerable to cyberattack and in vulner- ability assessments to be carried out on these systems. Require strong user authentication so that only authorized administrators, users, and main- tainers can access ICS controllers and sensors. Caution should be taken so that their access is only to the system and components that they are responsible for and not to other components of the ICS or the network(s) to which it is connected. Passwords, often set to default values by manufacturers, should be changed upon installation and checked when the ICS is commis- sioned. User credentials should also be conveyed to authentication systems or transferred by administrators in an encrypted manner. Ultimately, user credentials for ICS should be subject to the same policies and procedures and credentials used for other systems. Patch and update ICS. This should be an organizational procedure that is assigned to a qualified staff member. Where possible, automated processes to install patches and updates as soon as they become available should be implemented.

26 Guidebook on Best Practices for Airport Cybersecurity Include ICS-specific cybersecurity assurances in ICS procurement requirements. These include system configuration, physical access, authentication, system interconnectivity, mal- ware detection requirements, and a variety of other considerations. Vendors should disclose any “back door” access points or default connections that may expose a system to cyber threat. Vendors should also provide documentation on what cybersecurity features are available and what default settings need to be changed to provide protection. The references below include two resources for ICS-specific procurement language. Include ICS in incident management processes and recovery operations. This includes estab- lishing and informing points of contact among staff, affected stakeholders, and vendors prior to an attack and ensuring proper backups of data and that virtualized system components are up to date and readily accessible. With ICS, alternative processes and systems should be ready to activate should the functions of an ICS be unavailable as the result of a cyberattack. Additional resources that airports, as well as vendors and installers of ICS at airports, may wish to consider include the following: Guide to Industrial Control Systems Security (Stouffer et al. 2013) National SCADA Test Bed (U.S. Department of Energy 2014) Cyber Security Assessments of ICS (U.S. DHS 2010) Cyber Security Procurement Language (U.S. DHS 2009 and Energy Sector Control Systems Working Group 2014). Wi-Fi Many airports offer public Wi-Fi Internet connectivity to passengers. A growing number are extending this capability to support baggage handling, aircraft gate, facilities maintenance, oper- ations, and security needs. Wi-Fi has many of the same vulnerabilities as hard-wired network devices and introduces others because physical access is not required. Intercepting and stealing data, introducing service interruptions, and gaining unauthorized access to network system and data resources are among the threats that exist. Following are some countermeasures that can be implemented to reduce the likelihood of vulnerability to these threats (Wi-Fi Alliance 2015): Change default administrator credentials on Wi-Fi network devices. For non-public Wi-Fi networks implement the following countermeasures, as well: Enable Wi-Fi protected access (WPA2) pre-shared key (PSK) security with advanced encryp- tion standard (AES) encryption. Create strong network passphrases. Enable WPA2 security on client that users will use to access Wi-Fi devices. These passphrases should adhere to the airport system’s credential poli- cies where applicable. Secure ports on public Wi-Fi networks so that users can only access the ports and protocols granted by the airport. This may mean only granting access through port 80, which is the most common port used by the hypertext transfer protocol for website traffic. The airport may decide to open other ports to allow secure sockets layer (SSL) protocol for encrypted information that most sites use to handle personal or confidential data (e.g., to process credit cards as passengers change their airline reservations). Airports may also wish to open ports used by businesses for VPN or remote desktop connections. The more ports that are open, the more services are available to legitimate users, but also the more vulnerabilities are exposed to cybercriminals. This tradeoff between service and protection is a decision each airport that offers a public Wi-Fi network must consider. Segregate public Wi-Fi networks so that attacks that successfully overcome the previously described countermeasures can be isolated to the publicly available network so that they do not infiltrate the airport’s private network.

Implementing Countermeasures 27 When airport staff and consultants use public Wi-Fi while traveling for work purposes, they should be instructed to take the following precautions: Enable WPA2 security Disable automatic connections to new networks Disable file and printer sharing These basic precautions and others should be reviewed with IT service providers that install Wi-Fi network devices at airports. Security requirements should be considered as a part of the network design and should be required by contract. Airport IT staff that work with Wi-Fi net- work devices should be trained on Wi-Fi security best practices. Cloud-Based Services Airports are progressively relying on servers, software, and data that reside outside of their network and are accessed via the Internet. This trend is so pervasive that Gartner, Inc. (2013) predicts spending on cloud computing will represent the bulk of overall IT spending by 2016. Ed Anderson, research director at Gartner, suggests that the “growth in cloud services is being driven by new IT computing scenarios being deployed using cloud models, as well as the migration of traditional IT services to cloud service alternatives.” Examples of this shift can be found among airports as well as the FAA. One large hub airport interviewed is relying on cloud services to support email and general office (e.g., word process- ing, spreadsheets, presentations) software needs. The FAA is also headed in this direction with a contract to move 60,000 users to Microsoft®’s cloud-based Office 365 for email, messaging, teleconferencing, and other office applications (Battey 2014). In support of NextGen, the FAA is also considering hosting weather processing services in the cloud (Marks 2013). These organizations and others are tapping the resources of cloud computing for a variety of reasons. Airports interviewed for this project state a key appeal of the cloud is the ability to tap services without the cost and time required to establish those same services internally. Vendors interviewed for a related ACRP project (11-03, Topic S03-07, “Integrating Airport GIS Data with Public Agency GIS”) noted that cloud computing allows them to deploy the latest software releases and provide maintenance that serves all of their customers without the burden of dis- tributing media one customer at a time. Because cloud computing resources are so readily available and are outside of an airport’s firewall, some airport staff members interviewed feel that they fall outside the purview of their airport’s IT policies and procedures. Other respondents, typically CIOs or CISOs, feel that their responsibility is to protect an organization’s data regardless of whether it resides on internal IT infrastructure or in the cloud. This more inclusive perspective seems to be a growing trend. These differing perceptions are enabled by a general lack of cloud computing policy and pro- cedures for end users to follow. Regardless of an airport’s position on cloud-based computing, policy and procedures that define how its staff should approach and interact with cloud-based services are a growing necessity. Cloud computing exposes an airport to similar threats as internal systems expose, except that cloud computing services are available on the Internet and the airport is not directly in control of the countermeasures that can protect these resources. Fortunately, data on the cloud can be pro- tected, but it is exposed to governments, criminal organizations, hobbyist hackers, and others (Honorof 2013a). The National Security Agency, through its PRISM program, has partnerships with many leading cloud-based providers that enable them to access the private data these pro- viders host for their customers (Honorof 2013b). Some providers offer encryption and do not store user login credentials (Honorof 2013b). A study by Johns Hopkins noted, however, that

28 Guidebook on Best Practices for Airport Cybersecurity data that is encrypted at the cloud provider’s site may be visible. Access credentials, if established via a web portal, may also have been intercepted or falsely generated by “man-in-the-middle” attacks (Butler 2014). Recommended countermeasures for airports that use or are considering cloud-based computing services are as follows: Identify and document requirements for security, privacy, and other organizational needs for cloud services (Jansen and Grance 2011). Perform a risk assessment of identified cloud computing requirements (Jansen and Grance 2011). Develop policy governing the use of cloud-based computing. Implement a procurement process for selecting and evaluating qualified cloud service providers (Jansen and Grance 2011). The following steps are recommended: – Evaluate a cloud provider’s ability and commitment to deliver secure cloud services. Periodically assess their capabilities because the threats facing cloud computing, as well as the capabilities of providers, are rapidly evolving. – Ensure that all contractual requirements are explicitly recorded in a service-level agreement (SLA) with the cloud services provider. Involve a legal advisor to review the SLA. – Prior to sharing data resources, confirm that the cloud service provider will return and not store copies of the airport’s information upon termination of the SLA. – Refer to (if available) or conduct (if feasible) a third party risk assessment on the selected cloud provider’s infrastructure. – Ensure that any relevant code or encryption keys are escrowed with a trusted third party. Only send encrypted data into the cloud, because data in transit can be intercepted and, if not encrypted, can provide attackers with credentials and sensitive information. Often this informa- tion can be used to give them a higher level of access for subsequent attacks. Data is encrypted when transferring data using SSL, but an added precaution that should be considered where possible is encrypting the data using a secure key before it is transferred. Use a desktop application to transfer files instead of doing so through the cloud provider’s web portal (Butler 2014). Follow the cloud provider’s security procedures and protocols, which are often readily available on the cloud provider’s site or can be requested. Some cloud providers publish best practice guidelines for their clients to use when transferring data or implementing systems on their infrastructure. Global Positioning System GPS technology is increasingly being used to support aircraft navigation and position report- ing, airport vehicle and staff routing, and other activities at airports. While some of these uses support the airport, others that support FAA and airline operations can also influence airport operations. Unfortunately, GPS service can, and has at airports, been disrupted (i.e., GPS posi- tions are temporarily or permanently stopped) or spoofed (i.e., intentionally false signals that lead to inaccurate positions). Executing these threats requires knowledge, equipment, and nearby access to those devices. Many actors have or can easily learn these techniques, acquire inexpensive equipment, and get close enough to airport GPS equipment to cause harm. Some may not be intentionally trying to interfere with the airport but inadvertently do so while nearby. Human Considerations Often cybersecurity is viewed as a technical challenge involving complex software and hard- ware configuration and review of extensive logs of network activity. While these are important elements of a cybersecurity program, the majority of successful attacks have been the result

Implementing Countermeasures 29 of human action or inaction. “In most cases, negligence is the source of a breach. It’s not that there’s a malicious outsider colluding with a malicious insider, it’s that there’s a malicious out- sider who’s figured out how to take advantage of employee error,” notes University College London Research Institute in Science of Cyber Security director Angela Sasse (Stapleton 2014). Unwittingly opening a malware attachment, being lax about protecting SSI, poor protection of passwords, and posting inappropriate information on social media have all led to successful cyber attacks, many at airports. 95% of security incidents inves- tigated by IBM in 2013 involved human error. –IBM (2014) Training to increase awareness of these threats and measures that airport staff can take to avoid them is provided in the multimedia material. While such human actions are sometimes unavoidable, many can be avoided by providing training, establishing and enforcing policy, and encouraging proactive reporting. Fortunately, these countermeasures are relatively easy to implement and there are many resources available to help. The ease of implementation and the potential to lower the percentage of successful attacks suggest that human-related countermeasures can provide a high return and should be among the first priorities of a cybersecurity program. The most common threats related to human activity and the countermeasures that can be implemented to reduce their likelihood are described below. Social Engineering Social engineering is the use of tools and techniques to trick legitimate users into disclosing confidential information. Often this information is used by criminals to gain access to sensitive data or critical systems. Sometimes this is achieved by tricking a user into installing malware that can support other more advanced attacks. The following are commonly used social engineering techniques: Phishing is sending emails to trick recipients into divulging information or clicking on a link. Attackers may pretend to be in need of immediate help and target the better nature of people trying to respond to emails with confidential information. Spear phishing is a special type of phishing targeting specific individuals with elevated access rights or decision- making authority. For example, an actor may obtain information from a public or compromised source, such as a supervisor, senior manager, or trusted organization. They then use this information to send what appear to be legitimate emails to individuals within the targeted organizations. Smishing is similar to phishing, but uses text messaging to phones, tablets, or other devices. Vishing is similar to phishing, but uses voice or telephony devices such as phones. Shoulder surfing is when actors look over the shoulder of an unsuspecting individual as they are typing a password or an access code into a keypad. Some sophisticated actors use long-range cameras and may even work in teams to accomplish their goals. Dumpster diving is when actors search trash cans and recycling bins to obtain sensitive or confidential information. Actors often look for information like remote access software used and configuration rules so they can profile software vulnerabilities to plan a more aggressive attack. For example, SSI should be shredded (ideally cross shredded) before it is thrown away. Survey participation is when individuals are enticed with the promise of prizes and other rewards to fill in an online survey that appears legitimate but is actually collecting information that can later be used to support an attack.

30 Guidebook on Best Practices for Airport Cybersecurity Attackers often exhibit some common traits, of which legitimate users should beware. These behaviors include the following: • Avoiding conflict by using a friendly approach rather than an aggressive one. • Attempting to develop and build a relationship through previous dealings. • Quick willingness to compromise. • Attempting to distance any responsibility from the target so the target is not hesitant. • Making the target feel guilty. • Misspelling words or making grammatical mistakes in emails allegedly from sources that would not make such mistakes. • Being brief, when the source would typically provide more detail in the context of the email (e.g., simply saying “check out the attached” without any context or description). • Sending email from addresses that do not appear to have originated from the source claimed in the text of the email. Countermeasures that can be put in place to reduce the likelihood of a successful social engi- neering attack include: Provide training to increase awareness of social engineering tactics and the possible signs of an attack. Encourage employees to report suspicious behavior from either humans or computers. They should be warned to not intervene in an active crime but to report their observations as quickly and as safely as possible to security and/or law enforcement personnel. Intentionally send out fake phishing emails to staff that resemble a real phishing attack. When staff members respond to the email, debrief staff to provide additional instruction and guidance so that the mistake is not repeated when they receive a real phishing email. Implement malware detection software that quarantines or alerts recipients to questionable emails. Block domains and email addresses of known attackers before the emails are received. These countermeasures can be very effective in reducing the likelihood of successful social engineering attacks; however, no protective measures are 100% effective. This is especially the case where the variable of human nature is a factor. Even a staff member who is familiar with social engineering tactics may be distracted or tricked by a particularly convincing phishing email. Organizations must also be prepared to respond and recover when a social engineering attack is successful. In addition, software should be put in place to detect anomalous activity quickly and end-point protection should be in place to isolate the effects as much as possible. An explanation of social engineering tactics to avoid is provided in the multimedia material. Bring Your Own Device Increasingly employees are bringing their own smartphones, tablets, laptops, and other devices to work and using them in some cases for business purposes. This trend has become so pervasive that some analysts estimate that 40% to 75% of organizations have adopted BYOD (Phifer 2013). Some airports have also embraced this trend. Many reasons are behind the trend toward allowing BYOD. Personal devices reduce the cost of hardware, software, subscriptions, and network charges. Employees are also familiar with the device(s) they have selected, which can reduce training costs. Empowering employees to select

Implementing Countermeasures 31 their own devices that are best suited to their needs can also boost productivity. As with rental versus personally owned cars, users are more likely to treat their own equipment better (Citrix 2012). Despite the benefits, many airports choose a more traditional approach of banning employee- owned devices from their network or workplace altogether. Such a strategy is understandable, as the NIST cautions “organizations [to] assume that all mobile devices are untrusted unless the organization has properly secured them and monitors their security continuously while in use with enterprise applications or data” (Souppaya and Scarfone 2013). That said, the popularity of mobile devices is an overwhelming trend. The use of mobile devices grew at a rate of 115% in 2013, led by messaging and social media applications, claims Flurry Analytics (Khalaf 2014). “Simply banning BYODs from the workplace rarely works,” suggests Lisa Phifer of Core Compe- tence, Inc. (Phifer 2013). Supporting this notion, Dave Martin, vice president and chief security officer of EMC, challenges “anyone who says they don’t have BYODs to review their logs— I guarantee they’ll find Mobile Safari.” Whether airports welcome or acknowledge BYOD use, it is prudent that they implement countermeasures to protect their organizational data and systems. This is challenging because personally owned devices introduce some new threats, including the following: Less than 25% of stolen or lost devices can be remotely wiped to ensure no sensitive or con- fidential data is lost, states the Security for Business Innovation Council. Dave Martin of EMC notes, “when email is retrieved and opened on a BYOD, I lose visibility into data access. In a phishing attack, I have no idea it even happened, and I lose any chance of [forensic investiga- tion]” (Phifer 2013). BYODs often bypass inbound and outbound security filters enforced by network devices. This can expose the devices to malware and risk non-compliance with data privacy and regu- latory requirements (Phifer 2013). Downloading and installing applications is less regulated on employee-owned devices (Phneah 2013). Former employees may forget or intentionally not disclose that they have corporate infor- mation on their personal devices, which then leaves with them (Phneah 2013). To protect airports from threats introduced by personally owned devices in the workplace, the following countermeasures should be considered: Establish a BYOD policy to protective sensitive information on employee-owned devices. This should be an amendment to an acceptable-use policy for computers and organizational data. A BYOD policy should include the following: – Indicate which employees are eligible to use personal devices in the workplace (Citrix 2012). – Clearly articulate the delineation between personal and airport business. – Establish a list of allowed devices and operating systems. – Identify the types of applications permitted for work use on employee-owned devices. – Identify the types of airport and personal data that should be accessed, used, and stored on the device. This is particularly relevant with regard to data protected by laws and regulations. – Establish legal and copyright protection for airport-owned data. – Establish the right to review any email or, at least any airport-related emails and data on the BYOD. Privacy laws must be taken into consideration when employee personal and work- related emails are co-mingled. – Indicate which device maintenance activities are the responsibility of the owner and which the airport will support. – Indicate the responsibility to report the device is lost, stolen, or replaced. Check compliance with the BYOD policy by periodically asking employees to renew their agreement to adhere to the airport’s BYOD policy. “Simply banning BYOD from the workplace rarely works.” –Lisa Phifer of Core Competence, Inc.

32 Guidebook on Best Practices for Airport Cybersecurity Scan network logs to determine if mobile devices are being used. If so, determine if they were used in appropriate ways. Protect credentials to airport systems that are entered into the employee’s device, so that they are not cached, stored, or persisted. Instructions on how employees can implement this countermeasure should be a part of an employee training program. Require VPN connections be used that limit access to external sites while the employee is using their device for work purposes. Encrypt data exchanged between the employee’s device and airport systems. Implement software that helps provide secure access to airport data and systems and can manage the applications and data on personally owned devices. Wireless intrusion preven- tion systems, mobile device management (MDM), and network access control systems are common technologies used to help protect a network from threats introduced by mobile devices (AirTight Networks 2012). One airport interviewed has employed MDM technology in conjunction with VPN access to allow employees to use their own devices while working on the airfield for facility, operations, and maintenance purposes. Enforce exit policy and procedures that require departing employees to remove applications and credentials that provide access to data and systems and all corporate data. An acknowledgment form signed by the former employee may dissuade many from violating these procedures (Citrix 2012). Train employees on the risks associated with using their own devices and on the airport’s policy, procedures, and resources associated with such use (Lofgren 2013). Employees must understand their responsibility with regard to using their own devices in the workplace. Embracing, or at least addressing, the BYOD trend is really not an option: it is a necessary element of a comprehensive cybersecurity program. Implementing the previous countermeasures may not only help protect an airport but may open up productive uses of personal devices, improve productivity, and enhance morale at a reduced overall cost of ownership. These ben- efits, however, must be weighed against the cost of implementing and maintaining the proper countermeasures. Embracing, or at least addressing, the BYOD trend is really not an option. Training for employees on BYOD is provided on the multimedia material. Use of Social Media Social media are becoming an effective and pervasive professional tool. Social media encom- pass the following: • Content on a publicly available website • Entries on weblogs (aka blogging) • Posts on Facebook™ • Twitter™ tweets (aka posts) • Announcements on LinkedIn™ • Live video streaming or “livecasting” • Really Simple Syndication (RSS) feeds For airports, social media can be an effective way to communicate information about air- port services, upcoming projects, and opportunities for local businesses and consultants. Social media can also be a helpful tool for airport marketing, air service development, and collecting information on customer service and traveler experiences.

Implementing Countermeasures 33 Social media, however, introduce a means of exposing information that, in some cases, should be protected. The use of social media in the work place also introduces additional cybersecurity risks that need to be considered. Some of the most common risks are as follows: Decreased productivity can result from the use of social media. This is not necessarily a direct threat to security, but it is an important factor. From a cybersecurity perspective, a distracted staff member is also more likely to fall victim to social engineering attacks. Also, if the airport allows employees to use their own devices in the workplace, they may be more inclined to use social media applications and managers may be less able to monitor the increased use of social media and its risk. Malware and viruses are typically propagated via email or Short Message Service (SMS) and can be served using social media exchanges via hyperlinks or email. The spread of erroneous information can help criminals introduce panic, confusion, and other factors that can help their attack. Social media are also increasingly used to recruit supporters of nation state and terrorist motives. Leakage of sensitive or confidential data on social media sites allows adversaries to gain infor- mation that they then use for spear-phishing attacks. In some industries, cyber intelligence monitors scan social media sites for publication of confidential information. Reputation can be adversely affected by disgruntled employees publishing rumors or false information about airport safety records, airline practices, and other areas of interest to the public. To reduce the likelihood of social media threats, the following countermeasures should be considered: Address social media use in policies and procedures. Use of social media and its risks should be part of an acceptable-use policy. Airport staff must be aware of the effect of their actions on their employment as well as the potential safety and security impacts on them, their airport, and the public. The use policy must be prescriptive and specific so there is no ambiguity of the acceptable use of social media. Monitor and control the content that is posted. Management should not assume that airport staff have read the policy but should upgrade their content monitoring and technical controls as well as their network monitoring capabilities to scan for inappropriate use of social media. Provide training to increase awareness of social media threats. An effective way to remind staff members of the dangers and risks of using social media is by constantly updating and requiring training on the acceptable use of social media and the airport’s social media policy. Training should highlight the social media risks with real life examples and provide education on corrective actions for abuse and non-compliance of the social media policy for employees. Illustrations of social engineering tactics along with real examples of phishing emails to avoid are provided in the multimedia material. Malicious Insiders A malicious insider threat “is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intention- ally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems” (Carnegie Mellon University 2014a). This differs from unintentional insider threats where staff members, consultants, and tenants fall victim to social engineering tactics, mishandle sensitive data, or

34 Guidebook on Best Practices for Airport Cybersecurity allow their system credentials to be stolen. Such unintentional behavior can be addressed by pro- viding training and enforcing policy. Intentional violations warrant punitive action and may be met with fines, penalties, termination, and other legal action. Malicious insider threats are more difficult to mitigate for several reasons. They originate from actors who have a higher degree of access than outsiders. These actors are also familiar with the vulnerabilities and critical data and systems of the airport. They are less easy to be detected because they often have a legitimate reason for accessing sensitive data and systems. Recommended countermeasures that can be taken to protect an organization against insider threat include the following (Cappelli 2012): Communicate across departments—including senior management, human resources, IT, security and legal—about general threat concerns, specific employees to be watched, and policy and procedures that should be carried out. This sensitive information should be conveyed based on protocols outlined in the airport’s communication policy. Monitor behavior of employees, consultants, and tenants that are disgruntled, have a history of malicious behavior, or may have sought employment solely to gain a higher degree of access. While doing so, care must be taken to abide by employee privacy laws, regulations, and policy. Collaborate with Human Resources to determine which employees may be likely to become threats and monitor their data, computer, and network activity. They may include employees that are not performing to expectations, those likely to be laid off or terminated, and those recently passed over for a raise or promotion. Also, work with Human Resources to incorporate cybersecurity best practices into a workplace violence program. Leverage technology by monitoring incoming and outgoing data via an IDS, check for abnor- mally high volumes of data movement, and create signatures in security information and event management systems, which can log and monitor for suspicious activity. Focus and protect the most critical data and systems identified during the inventory of data and system vulnerabilities. Additional resources that may help airports identify and mitigate malicious insider threats include the following: CERT Guide to Insider Threats (Cappelli et al. 2012) Common Sense Guide to Mitigating Insider Threats (Silowash et al. 2012) Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data (Glasser and Lindauer 2013) “Insider Threat Test Datasets” (Carnegie Mellon University 2014b) is a series of datasets on malicious actors and related background data Service Providers Many types of organizations provide services to or at airports. From a cybersecurity perspective, these providers fall into the following two categories: • Those that can increase the likelihood of a cybersecurity attack • Those that provide products or services expressly to reduce that likelihood These groups need not be mutually exclusive; in fact, the greater the overlap, the better, as explained in the following sections. Service Providers That Can Increase the Likelihood of a Cyberattack Airlines, concessionaires, ground transportation providers, emergency responders, and con- sultants all provide services to or at airports. In the course of providing these services, they may have access to information or systems in a manner that can increase the likelihood of a cyberattack.

Implementing Countermeasures 35 A distinction can be made between organizations that provide services to airports (e.g., con- sultants) and those that provide services at airports but are not engaged by the airport itself (e.g., emergency responders). While this distinction is relevant, because it may limit the types of countermeasures the airport may enforce, the primary question to be asked is what level of access these providers have to data and systems that the airport is responsible to protect from cybercrime. This question can be answered when developing an inventory of data and systems during a vulnerability assessment. During the inventory process, those providers who have direct or indirect access to data or a system should be identified. Once identified, the following countermeasures should be considered to properly protect airport data and systems from service providers: Data and system use agreements should be signed by service providers that have access to airport network resources. This should include an acknowledgment of SSI and how it should be handled as well as an affirmation that airport data and systems will be used only for airport business and in accordance with the airport’s acceptable-use policy. Cybersecurity training should be required as a part of contracts, lease agreements, and operating permits of service providers engaged by the airport. The level of training should be adjusted to the degree to which the provider has access to an airport’s network resources. For example, a janitorial services contractor should be provided basic awareness training and instructions on how to report suspicious activity. A consultant providing IT services will require additional training on how to access, use, and protect network devices in the course of their work at the airport. IT protocols and procedures should be established for consultants and other providers of IT or communications services to the airport. Software assurance procedures should be required of all consultants and vendors who implement systems for the airport. Defined procedures should include both software and hardware systems, and procedures on systems implemented on airport premises as well as in the cloud. Certification of vendor capabilities to support countermeasures should be considered as a means of ensuring that the vendors maintain the staff, equipment, and procedures needed to support the airport’s cybersecurity requirements. Certifications should be periodically renewed with vendors that provide information or systems on a multi-year basis. Service Providers That Help Protect an Airport Service providers continue to emerge (and evolve) in response to growing threats and the resulting increase in demand for cybersecurity services. The result is a myriad of options for an airport to consider that span all steps of the cybersecurity process. While some of these services are free, others can be expensive. Some services are offered in conjunction with hardware and products. Some are to be implemented once, while others are periodic or continuous. While the landscape of these offerings is constantly changing, following are some of the most prevalent current offerings: Awareness and training materials are being offered by a growing number of government, non-profit, and for-profit entities. This guidebook and the accompanying multimedia material are examples. The PCI-Essentials online training courses offered by the PCI Security Stan- dards Council is another example. Additional courses can be found at www.pci-essentials.com. The Texas A&M Engineering Extension Service’s National Emergency Response & Rescue Training Center also offers a series of free cybersecurity awareness, planning, and management courses online at https://teex.org/Pages/homeland-security.aspx. Vulnerability assessment specialists working for large organizations, independent consul- tants, and even non-profit organizations can assist airports in identifying data and system

36 Guidebook on Best Practices for Airport Cybersecurity vulnerabilities, as well as assessing the likelihood of these vulnerabilities occurring and the impacts they may have. Such specialists can also help an airport prioritize the implementation of countermeasures to address these vulnerabilities. DHS, working in conjunction with ICS-CERT, NIST and others, have developed free tools and adaptable approaches that organi- zations can use to assess vulnerabilities and set priorities for implementing countermeasures. For example, CARMA from DHS provides a methodology for assessing cybersecurity risks to critical infrastructure. The Cyber Security Evaluation Tool (CSET) helps organizations evaluate their cybersecurity risk posture. Information sharing and analysis centers (ISACs) play an important role in sharing infor- mation on threats as well as connecting organizations with service providers that can help prevent and respond to attacks. Two ISACs that are particularly relevant to airports are the MS-ISAC and the Aviation ISAC (A-ISAC). Both of these centers provide information on threats and points of contact free of charge to airports. – MS-ISAC offers members cybersecurity threat briefings, advisories, and alerts; best practice tips and training material; lists of attackers; a tool for analyzing malicious code; and news- letters. For an additional fee, more advanced services such as vulnerability assessments, network monitoring services, and incident response assistance are provided. Several airports are already members of the MS-ISAC, which is considered by the DHS to be a “key resource for cyber threat prevention, protection, response and recovery for the nation’s state, local, territorial and tribal (SLTT) governments” (MS-ISAC, 2014). – A-ISAC provides indicators and warnings of cyber and physical threats relevant to the aviation sector; offers a central resource for the sharing of best practices relevant to air- lines, aircraft manufacturers, airports, and other aviation stakeholders; coordinates law enforcement activities related to aviation cybersecurity; helps coordinate attack response and recovery activities within the aviation sector; and interfaces with government agencies and other sectors. It acts as a neutral and trusted resource to receive, filter, and disseminate information to stakeholders. Its mission is to “reduce risks and costs associated with disruption to aviation operations due to cyber & physical security events” (Francy 2014). Network monitoring is a collection of systems, processes, and people that work together to monitor inbound and outbound network traffic. The primary task is to review network logs (e.g., proxy logs, application and host logs) for anomalies and take action on relevant alerts. Systems monitored include, but may not be limited to, firewalls, IDS, and intrusion prevention systems. Often the cost of in-house network monitoring can be excessive for an airport. In these cases, off-site service providers can offer some level of protection at less cost. Automated alerts are system-generated notifications that provide information about possible threats as they occur. Because of the volume of information reviewed, it is important that airports roll out an efficient and reliable process to configure and continuously fine-tune such alerts. The basic strategy is to minimize false positives and maximize relevant alerts. Achieving this goal requires a constant tuning process that is triggered by changes to the cybersecurity threat landscape, updates to software and hardware, as well as changes to business requirements. Local and regional law enforcement agencies are becoming increasingly prepared to help airports within their jurisdiction by sharing cyber threat information, assist with implementing countermeasures, and provide support if an attack does occur. As a part of an effective cyber- security program, points of contact at these agencies should be identified, briefed, and kept informed about airport cybersecurity matters on a regular basis. The appropriate law enforce- ment authorities should be notified if an attack occurs. Federal agencies such as the FBI have field agents that are assigned to airports and can be a conduit for assistance from the FBI and other agencies if an airport cybersecurity attack does occur. To be the most effective, the agents assigned to an airport should be identified, briefed, and kept informed about airport cybersecurity matters on an ongoing basis through continued contact between the airport and the local FBI office.

Implementing Countermeasures 37 The choice as to which and how many of these service providers should be tapped is a decision each airport’s management needs to make based on the relative cost versus the benefits they can provide. To help navigate the choices that exist, it is recommended that airport senior managers, CISOs, and IT staff prioritize the countermeasures they wish to implement, assess the skills and availability of existing staff resources, and then select external service providers that can augment these internal capabilities to implement desired countermeasures. As mentioned earlier, the overlap between service providers who can increase the likelihood of a cybersecurity attack and those that can decrease the likelihood will hopefully expand with time as more providers who operate at an airport are trained to help airports fight cybercrime by implementing the necessary countermeasures. Passengers, Greeters, and Other Occupants Previous sections have discussed the importance of training airport staff, tenants, and service providers to help protect the airport against cyberattack. Collectively, those groups are the smallest population at an airport. Passengers, greeters, and other occupants represent the largest groups of individuals at an airport. They should be considered when assessing vulnerabilities even though their direct access to and interaction with airport data and systems may be limited. Passengers and greeters have access to publicly available Wi-Fi networks that most airports offer as a customer service. While these public networks are typically segregated from the airport’s internal network, it may be possible for an attacker to gain access that affects passengers or airport operations or defaces the airport’s image. Passengers and greeters also have easy access to public portions of the airport where many secure devices such as HVAC controls, access control devices, CCTV cameras, and passenger screening devices exist. Passengers also have direct access to kiosks, vending machines, and other devices placed there for their use. Because passengers and greeters have a legitimate reason for being in these areas, it would be relatively easy for those looking to do harm to gain physical access to systems and devices in a manner that could increase the likelihood of a more serious attack. There are numerous countermeasures that should be considered when securing data and systems exposed in public areas. Unlike with staff, tenants, and service providers, these counter- measures are limited to what can be done without active participation. Passengers and greeters are too numerous to effectively train and are not obliged to follow policies or procedures established by the airport. Regardless, the following measures can be taken to protect airport data and systems against cyberattacks from passengers and greeters: Secure Wi-Fi networks accessible to the public as previously discussed. Disable or protect controls and ports on ICS that are in public areas so that passengers and greeters cannot use them to gain a higher level of access. Change default passwords on devices that are accessible to the public. Often electronic devices, such as sign displays, kiosks, and screening devices have administrative or maintenance pass- words that are set at the factory by default. These default credentials are often known to attackers. The access default credentials should be changed according to the airport’s pass- word policies upon installation and prior to the system being commissioned and put into use. Considering passengers and greeters as potential attackers is important when designing a cybersecurity program that addresses all potential vulnerabilities. They should also be regarded as customers that may be affected by a cybersecurity attack. Treating this important population from both these perspectives can help an airport achieve the cybersecurity protection that it requires.

38 Guidebook on Best Practices for Airport Cybersecurity Private, Confidential, and Sensitive Information All of these laws, regulations, and legal agreements require airports to protect personal and sensitive information. According to J. Razo of IBM (Razo 2012), a set of best practices for accom- plishing this goal include the following: Classify data based on who has a need to know and the degree of harm (i.e., operational down time, financial loss, degraded safety) that may result from a breach or loss of the information. This should be done in coordination with other data stewards and senior management to ensure changes are consistent with organizational policy. Data classifications should include SSI, classified, airport use, and public. Additional distinctions that restrict data to certain groups of users within the airport may also be warranted. Financial, human resources, and airport security (other than SSI) information, for example, should perhaps be identified so that it can be restricted to certain user groups. Develop organizational policy for protecting information based on its relative sensitivity. Request that senior management approve of and enforce this policy. Provide guidance and instructions to managers and staff on adhering to, enforcing, and reporting infractions of this policy. Appoint data stewards to perform the following tasks: – Discover and inventory sensitive data. – Define additional discretionary security controls. – Periodically reevaluate the classification and protection measures in place. – Comply with laws, regulations, and best practices with regard to the data. Introduce access monitoring software to understand who is accessing information. This requires real-time analysis of system, application, and network logs to alert when unusual access behavior/pattern is detected. Establish a process to remediate breaches or leaks of information. Periodically educate individuals on how they need to secure sensitive information. This training can be part of the annual certification program. It is useful to highlight changes to both internal and external policies. Training should be prioritized for individuals who handle the most sensitive information. Identify where information is stored and implement additional protective measures if sensitive information is stored in zones outside the direct control of the airport. This should be accomplished as a part of the overall inventory of data and systems that may be vulnerable to cyber threat, as discussed earlier. Working with personal, confidential, and sensitive information is a necessity in the modern workplace and at most airports. It is critical to identify the degree of sensitivity of the various types of data and the appropriate countermeasures to put into place.