Computer Network Security for ASCs A Panel Discussion to Raise Awareness

Transcription

1 Computer Network Security for ASCs A Panel Discussion to Raise Awareness Moderator and Panel Member: Dennis Treece, CSO, Massport Panel Member: Ray Boisvert, President / CEO, I-Sec Integrated Strategies Panel Member: Dave Aitel, CEO, Immunity ACI/NA Fall Public Safety and Security Conference Toronto, Canada August, 2013

2 Agenda The ups and downs of Internet Connectivity Update on Internet Threats and Internal Threats Airport systems risk: vulnerabilities, threats, consequences What s the worst that can happen if we have IT security problems? What is the most likely thing that will happen? What we can do to decrease our risk, what resources are available to help us?

3 Internet Facts Internet Risk If you are on the Internet, you can access and are accessible by 2.4 billion users Cell phone ownership is approaching the world population of 7 billion many are Internet capable Mobile networking is the growing trend - everything to include your refrigerator and coffee maker will be networked by the end of this decade We use the same transmission paths for banking, social networking, entertainment, porn, shopping, C2, government, and medical services, etc how crazy is that? The question we all face is this: How much of your life and your airport do you want shared with 2.4 billion people?

4 Can You Function Without the Internet? No, But.... Private Networks and Air Gaps Whose Domain are you in? Private networks are not addressable on the Internet. They begin with 10, 172, and 192. They prevent Internet exhaustion under IPV4 and allow companies to operate IP networks internally without worries about address allocation Air Gaps are physical gaps between your network or your computer and the Internet another name is sneaker net. BOLO for maintenance back doors, unauthorized connections

5 Airport Cyber Attack Istanbul airports hit by cyber attack ( :24) The passport control system at Istanbul Ataturk Airport's International departure terminal is now restored after being locked due to an alleged cyber attack on Friday, while another airport in the Turkish largest city was also affected. Local news agency reported that passengers stood in lines for hours and some lashed out at airport officials, as planes' departures were delayed due to the collapse of the system, Xinhua news agency reports.

6 Another Example A Department of Homeland Security system used to conduct background checks may have exposed personally identifiable information of employees and contractors for nearly four years. The vulnerability, found in software provided by a vendor, was discovered by a DHS law enforcement partner, which informed the department this past week. Neither the vendor nor law enforcement agency was identified by DHS. DHS, which says it addressed the vulnerability immediately, is investigating to determine what, if any, personally identifiable information may have been accessed by unauthorized individuals. By Eric Chabow In Gov Info Security, May 24 th, 2013 So - how secure is your CHRC data?

7 Former Assistant Director, CSIS President / CEO ISECIS

8 Understanding the other threat to airport security ACI / NA Public Safety and Security Conference, August 13th, 2013

9 Big, complex, unpredictable environment Threats difficult to define and identify: Real or Imagined Current or Emerging Applicable or Distracting Singular or Complex Isolated or Connected Meaningful or Irrelevant Local, Broad or Global Airports are NOT unique

10 Common Threats - Acknowledged terror, intelligence, foreign manipulation & subversion

11 Less considered Threats but the most current and contemporary cyber, insider

12 Airports: critical point of C.I. Previous: highjack and active shooter Today: sophisticated attack vectors

13 State Actors Organized Crime Terrorist Organizations Hacktivists Bots Insiders

14 Why? Because airports matter! - fifth dimension warfare (states) - hostage or fraud (organized crime) - disruption (Terror) - subversion (non-state actors) - sites for infection (spammers) - advantage or revenge (insider)

15 Responding to Asymmetrical Threats Resilience is Value to Owners and Operators Shareholder Interests and Public Expectations

16 CEO, Immunity

17 Specifics * Modern physical security equipment requires networking and complex computer infrastructure o These are high value targets for a nation state! * Example: Passports with RFID exploits targeting border control * Imagery equipment ( Naked scans ) * Advanced metal detectors (are networked and have updatable firmware) * Airline computers have little physical protection * Supply chain attacks * Organized crime has high incentive to engage in traditional bribery and corruption

18 More * Space requirements often mean server rooms are simply locked cages in the corridors of otherwise public areas! Or other lightly defended places * Airplanes themselves are rich targets for hackers GoGoInFlight, anyone? * Wireless in the Airports is typically lightly secured, in some cases, even the private wireless is running WEP (especially non-us)

19 CSO, Massport

20 It Does Not Have To Be Rocket Science The savvy ASC of the 21 st Century: Must understand the information and automation security issues of the airport Must make sure the IT staff addresses them properly Must reduce Internet risk Could this be the paradigmatic shift the FBI said is needed to address this threat?

21 The Common Issues We All Face Confidentiality How do we ensure only authorized people have access to non-public airport security information? Integrity How sure are we that our data is still there and that no changes have been made? Who/what keeps unauthorized people out of our IT-connected systems? Availability How often are one or more parts of your security systems down for some reason or other? Accountability When something does go wrong, are you told who or what is responsible? Who audits your security systems and IT networks for security effectiveness?

22 Examples of What Parts of Your ASP need Cyber Security Physical Security Camera Surveillance LEO and Guard Force Alarms C2 Communications Access Control Access control system Badge office Policies and Procedures

23 ASC Role in Network Security Work closely with your IT staff You need to understand your network architecture They need to recognize your security requirements Get ahead of the requirements curve SCADA is a great case in point 20+ years of making control systems more responsive to centralized control via the internet, with no security built in. What were they thinking, and where were our security people? What is your SCADA exposure?

24 Internet Security Resources Security Benchmarks, Multi-State Information Sharing Analysis Center, Trusted Purchasing Alliance, Integrated Intelligence Center Information on standards and best practices Rumor control and live chat with a fraud examiner Internet fact resource

25 Questions? Dennis Treece Ray Boivert Dave Aitel