Airport IT Security A Small Airport Perspective Royce Holden Director of Information Technology Asheville Regional Airport Asheville, NC rholden@flyavl.com
Cyber Security (IT Security) What does having good policy in place have to do with IT & Cyber Security? EVERYTHING!
Cyber Security (IT Security) How to start Policy/Directive Response Plan/Strategy Priority System/Triage Communication Documentation Master Plan (IT) Example Incident Policy/Directive Response Plan/Strategy Priority System/Triage Communication Documentation
Cyber Security (IT Security) AVL IT Department
Cyber Security (IT Security) Swim lane Diagram:
Cyber Security (IT Security) How to start Policy/Directive why do we need this? It s important to get executive leadership buy in for creation and inclusion in current Airport Policy Manuals. Response Plan/Strategy How will you handle incidents? Priority System/Triage Take time to prioritize incidents based on organizational impact. Communication Who will you let know about an incident? Who to Call List Even an internal list for the IT Department could minimize down time. Documentation How will you remember an incident? Prevention Documenting an incident and solution could help reduce future down time scenarios. Master Plan/IT Putting it all together
IT Security Policy/Directive Policy A plan or course of action Typically approved by an Airport s Governing Body (Authority) Purpose: The Asheville Regional Airport Authority is a local government agency created by action of the City of Asheville and the County of Buncombe for the purpose of developing and operating the Asheville Regional Airport. Functions: To determine policy and administer the provisions of the laws of North Carolina. Public Record Non Exhaustive List of Items covered in Policy: User Eligibility User Accounts Staff, Tenant, Public Usage Hours of Operation Down time / Maintenance Email Usage/Public Record Installing Software Privacy/Monitoring Unauthorized Usage/Consequences Prohibited Activities/Consequences Misuse/Consequences
IT Security Policy/Directive Incident Handler s Handbook, ipad Security Settings, etc. Great Reference for Risk Management Where can I start? Very Good Examples: http://www.sans.org/reading_room/ National Institute of Standards and Technology (NIST, U.S. Department of Commerce): http://www.nist.gov/informationtechnology portal.cfm Consider joining InfraGard to keep up to date on Cyber Security Information: InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members.
IT Security Policy/Directive Example Policy Information Technology Example: Internet and Email Usage Policy Objective: To describe the normal procedures for Internet Usage. The procedure outlines the processes and designates the responsible parties for controlling how the Internet and the Local/Wide Area Networks shall be used. Directive Information Technology Example: Wireless Internet Access Directive Objective: To describe connectivity to the Internet via wireless methods and provide staff direction on use by Authority, Tenant, and Public Usage.
IT Security Response Plan/Strategy Response Plan/Strategy Airport Authority Production Servers 24 hour Telephone line Critical Area CCTV Critical Area Access Control Tenants Passenger Processing @ Ticket Counter Passenger Processing @ Gate Shared Use Printing Public Major MUFIDS Outage (16 or more LCDs in Prime Locations)
IT Security Response Plan/Strategy Response Plan/Strategy Airport Authority Non Production Servers Phone not working Non Critical Area CCTV Non Critical Area Access Control Tenants Passenger Processing @ Ticket Counter (Non Peak Hours) Passenger Processing @ Gate Shared Use Printing (Non Peak Hours) Public MUFIDS Outage (Less than 16 LCDs out) Wireless not working for more than 5 users
IT Security Communication Communication Detail your systems and service agreements. Have a who to call list for each. Know when it is necessary to call Law Enforcement
IT Security Documentation Documentation Who? What? When? Where? Why? How? What: Rogue wireless router found Who Was it? Tenant, Employee? When was it found (Important for Law Enforcement) Where was it found (Physically) Why/How Document how you found it
IT Security Documentation Documentation Spiceworks Free (or Paid). Helpdesk Solution
IT Security Documentation Documentation For Lessons Learned Faster Incident Response Forms should include notes, dates/times, etc.
IT Security Example
IT Security Example Identified Rogue Router Using Xirrus Wi Fi Monitoring Tool, Log Files, inssider software, and a laptop. The AP in the terminal office was not broadcasting a SSID and was set up for PSK authentication. Request for Public Safety Assistance Formal Police Report taken & work with Tenant s Corporate Office NC State Law, Article 19A. Obtaining Property or Services by False or Fraudulent Use of Credit Device or Other Means. Follow Up and Closure Tenant s Management determine their internal policy was broken by employee who was immediately let go. Airport IT documented incident and Lessons Learned.
IT Security Example Policy/Directive Tenants sign a Wireless Usage Policy and agree to enforce it with their employees. Tenant Lease Agreements also contain language Re: Improper Use. Airport IT has a directive Monitoring and Logging Networks and System Devices. Response Plan/Strategy Using Xirrus Wi Fi Monitoring Tool, Log Files, inssider software, and a laptop. The rogue AP in the terminal office was not broadcasting a SSID and was set up for PSK authentication. Priority System/Triage Although not disruptive to Wireless Operations, determined a high priority due to violation of Policy.
IT Security Example Communication Tenant s Management determine their internal policy was broken by employee who was immediately let go. IT Contacted Public Safety, Formal Police Report taken & work with Tenant s Corporate Office. NC State Law, Article 19A. Obtaining Property or Services by False or Fraudulent Use of Credit Device or Other Means. Documentation Airport IT documented incident and Lessons Learned.
IT Security Master Plan Master Plan FAA Advisory Circular 150/5070 6B http://www.faa.gov/airports/resources/advisory_cir culars/index.cfm/go/document.list Use the document above when thinking about putting IT related components into your Airport s Master Plan Ideas follow
IT Security Master Plan Master Plan 104.a. modernization or expansion of existing airports or the creation of a new airport 104.b. cost effectively satisfy aviation demand If you have or are considering Shared Tenant Services or Shared/Common Use, 202.b.4,6,7. Assess the ability of the existing airport, both airside and landside, to support the forecast demand. Identify the demand levels that will trigger the need for facility additions or improvements and estimate the extent of new facilities that may be required to meet that demand Identify options to meet projected facility requirements and alternative configurations for each major component.
IT Security Master Plan Master Plan 202.b.9. Facilities Implementation Plan Provides a summary description of the recommended improvements and associated costs. The schedule of improvements depends, in large part, on the levels of demand that trigger the need for expansion of existing facilities. This is an opportunity to discuss items that are related to IT such as Parking Management Systems, terminal/airfield lighting controls, life safety, etc. Don t forget your MDF/Comm. Rooms!
IT Security Thank You