Paul is flying on an airplane from Bangkok to Hawaii. While the air hostess serves him a glass of champagne, Paul enjoys the calmness of the clouds around him. His flight is about to land in another 20 minutes. The pilot is communicating with the air traffic controller at the Hawaii airport. However, he is not able to connect with him. The traffic controllers are not responding back to him. Meanwhile, frantic calls are underway with the President and other top ministers. The decision is YES. Yes to pay the hacker whose ransomware has crippled the entire system and thousands of lives are at stake.
If you feel that is fiction, it can be, but what is the guarantee that this cannot be a real scenario? In today’s age, everything is possible. We saw hospitals hacked in the UK through ransomware, and metro rails displaying ransomware-riddled messages, what’s stopping the airports or other critical infrastructure from being hacked?
The Threat Quantum
Airports have always been highly targeted by malicious nation-state actors because they can result in high-profile disruption, casualties, and damage to a country’s reputation. But the threat quantum has increased exponentially with modern airports completely dependent on IT systems for their functioning. Modern airports are completely on emergent technologies such as the Internet of things (IoT), cloud, and integrated systems for efficient, uninterrupted management of logistical challenges. All of this interconnected technology also leads to an unwieldy multitude of new vulnerabilities and potential exploits that make airport cyber attacks a very real risk today.
The US National Institute of Standards and Technology (NIST) categorizes the cyber-threats to airports into political or military, commercial espionage, disruption, and cybercrime. As a result, airport operators may face attempts to access physical security systems or access controls; disruptions in air bridge functions, air conditioning, heating, electrical systems, electronic signage, baggage systems, parking services, Wi-Fi networks, or Distributed Denial of Service (DDoS) to make the airport’s online services unavailable. While in some cases, we have to respond to incidents, airports, and other critical infrastructure when attacked do not give the luxury of taking time to respond. If the President of a country is flying and the airport is hacked, there may be little time for those who wish to take a decision on whether to pay for the ransom attack or not.
The Ongoing efforts
The aviation sector and especially smart airports' cybersecurity have attracted researchers in recent years, as the incorporation of new innovative technologies and their available attack surface has increased. Civil Air Navigation Services Organization (CANSO) developed a guide for increasing the security level of Air Traffic Management (ATM), by presenting cyber threats and risks, as well as threat actors with their motives. CANSO proposed a model in order for cybersecurity to be addressed, in combination with international standards, NIST Cybersecurity Framework, as well as a risk assessment methodology.
Although significant research has been presented regarding ATM cyber risks, there is a lack of research about threats and vulnerabilities for ground handling IT systems and airport services, especially when equipped with smart applications. From a hacker’s perspective, any vulnerability in any of the systems whether an IOT device or a CCTV, or a raspberry pi computer connected to your network can act as a gateway to introduce malware into your systems. Conducting a drill that does not focus on considering all such misuse cases is not an effective drill irrespective of the number of times it has been conducted. Particular to airport cybersecurity, risks constantly change, as new threats and vulnerabilities evolve, along with ever-changing technology implementations. Hence, it is imperative to identify new misuse cases as soon as almost every day.
Airport security and cybersecurity are not new. Research and best practices have been published time and again on such aspects. “Help airports establish and/or maintain effective airport cybersecurity programs based on best practices” is the objective of the report published in 2015 called ACRP Report 140 Guidebook on Best Practices for Airport Cybersecurity. The report is available at the link - http://onlinepubs.trb.org/Onlinepubs/webinars/151105.pdf. The European Union Agency for Network and Information Security (ENISA) has published its continuing work on communication network dependencies in industrial infrastructures, focusing on ICS/SCADA (Supervisory Control and Data Acquisition) systems and IoT infrastructures. In 2016, ENISA also published security guidance for smart airports, presenting key stakeholders, asset groups, threats, risk analysis, best practices, and security recommendations addressed to airport decision-makers, policy-makers, and industry stakeholders.
However, complete scenario-based misuse cases in the current context of IOT, ransomware, smart devices, self-service kiosks as well as the upcoming 5G environment have not been published as of now. It’s high time we start building on such misuse cases now and evaluate the mitigation measures for them.
Singapore Changi’s airport is the ideal place to research and evaluate such misuse cases. They have shown the world how technology can be used in the best possible manner. They can also showcase it as the most secure implementation ever.
Current Challenges
While the discussion has been centered around IOT and ransomware attacks as they grab most of the headlines, understanding and evaluating the security at the airport is an extremely complex task. Physical security is something that is left to experts which consists of mostly people from a defense background. However, this panel of experts must contain representation from a defense cybersecurity expert even from a physical security point of view as physical security is also controlled through IT systems at various airports around the world. In a fully automated airport in the near future, machines evaluating and handling the entire movement of passengers would be full of challenges that need to be thought of today.
Here are a current set of challenges that most airports face today.
- Dilapidated IT Infrastructure.
- Undertrained staff
- Limited cybersecurity awareness
- Drills conducted for compliance purposes.
- Vulnerable software implementation/legacy systems
- Authorization misuse
- No preparedness / under-preparedness to deal with cyber attacks.
Attack Scenarios and Mitigation Measures
This is focussed on the aspect of finding ways to introduce malware into the network systems of the airport or the aircraft. The attack scenarios do not focus on scenarios such as oil spillage, disgruntled employees, terrorist attacks, etc.
Tampering with self-servicing kiosks
If we think from the perspective of an attacker, it seems logical to go after the weakest link. This is a common methodology. Animals follow it while hunting, so why not human beings? Cybersecurity professionals and organizations often focus their entire energy on securing the most critical infrastructure while deeming the non-critical infra as not worthy of any security. Why would an attacker go through disabling your firewalls, IDS/IPS, elevating his authorization by hacking through the fingerprint database and avoiding detection through several cloud-based platforms deployed for your critical servers?
The self-serving kiosks offer a wonderful opportunity to knock at your door. If you open the door, which you will, the attacker will enter cooly enter through it. These self-serving kiosks are often connected to some database servers which help in printing boarding passes for passengers. If the attacker is able to introduce malware through a vendor who has come to service the kiosk or through a BYOD, half of his/her work is done. It then is a matter of time to exploit vulnerabilities in the DB server and so on.
Mitigation Measures - Such kiosks should never be on the same network. It’s best to keep them completely segregated and enable only one-way communication through such devices.
Phishing attacks
Phishing attacks exploit the weaknesses of an individual. If I’m a cricket fan and I can get an email on the same, there is a 60-70% chance, or maybe more, that I would click on it. Attacking personnel with privileges makes sense for an attacker to enter the network.
Mitigation - For extremely critical infra, dual authorization is the best method to prevent such attacks, in addition to, making people aware not to jump into the well all by themselves.
Vulnerable or unpatched systems/ operating systems
The UK hack of the hospitals showcased multiple systems running on outdated systems attacked by ransomware due to unpatched systems. A lot of airports run on outdated or legacy systems which are yet to be patched. This will always be the case as the budgets will not be available for upgradation.
Mitigation measures - It’s time to build systems whose focus is security rather than just convenience. (Wish it could be so easy!!!)
IoT and CCTV attacks
The main characteristic of smart airports is the networked, data-driven response capabilities through smart components and integrated IoT devices. Any smart device connected to the airport's network may support crucial key functions of interoperability between aircraft, airport administration, air traffic control, and other forms of communication.
The Mirae botnet showcased how easy it was to hack devices with built-in default usernames and passwords. The effectiveness of Mirai is due to its ability to infect thousands of these insecure devices and coordinate them to mount a DDoS attack against a chosen victim. A successful DDoS attack can result in either access denied for legitimate users or the system’s inability to distinguish legitimate users from fake ones.
Mitigation - Defense-in-depth measures. However, in my opinion, the best way is to have a red team ( any color team) identify and perform such attacks to enable authorities to understand the variety of attacks that can take place.
Access Control Attacks / IAM corruption
What if unauthorized individuals gain access to airports? IAM software generally validates and manages access control. If a vulnerability in the IAM software enables an attacker to corrupt the database and render the building management system useless, it could have devastating attacks. Is the IAM software the only way to tamper access? Disgruntled employees, contractors, or business associates having possession of access credentials may also misuse their authorization privileges and act as insider threats, aiming to steal information for personal gain or to benefit another organization.
Mitigation: Effective user access management should be in place for granting and revoking access to all information systems and services. In addition, the use of utility programs that might be able to override the system and application controls shall be restricted and tightly controlled. A variety of countermeasures are also necessary, including data encryption and antimalware, in order to mitigate such attack’s impacts.
The Party has just begun
If you feel that this is exhausting, it’s just the beginning. It’s imperative that such complex problems are thought of while designing future airports. Attack vectors have always been there from time immemorial. The scope, threat actors, and impact have changed over time. Thinking about such misuse cases and being ready for them through awareness, business continuity plans, and simulation drills is the key to being safe, secure, and ready to face all challenges ahead.
What are your thoughts on cybersecurity at airports? Which airport do you consider one of the cyber-secure airports around the world?
Comments ()