Assessing the Primary Cyber Threats to Airport Internal Operations

Before and After September 11, 2001 Airport Security

One of the worst disasters in United States history occurred on September 11, 2001. Thousands of people died that day and as a result the processes for airport security began to change significantly.

Airport security prior to September 11, 2001 was not as stringent.  Airline food was served with a knife (sometimes with a metal knife). A ticket agent would ask if you packed the bags yourself and if it was in your custody the whole time. Checked bags were not x-rayed or inspected except for international flights. Airlines were in charge of security and they hired the screeners. They had a poor record in detecting possible threats on passengers and baggage. In May 2000, the Department of Transportation Inspector General agents were able to use fictitious badges and credentials to enter secure areas in the airports 70% of the time.  Because there were too many entities involved in security, each of them had their own agendas, communications between the airlines, airport operators and the Federal Aviation Administration (FAA) were difficult to maintain.

Before September 11, 2001 security was jointly organized between the airport operators, airlines and the FAA. Airport operators provided security at the perimeter of the airport and controlled access to secure areas by contracting with private security firms or the police.  Airlines were tasked with the security of the aircraft which included the screening of passengers, flight crew, baggage and other cargo. Private security companies did the screening. The FAA’s responsibility was to establish and enforce security policies, regulations and procedures.

After the tragedy of that day (September 11, 2001), a reassessment of the way security was implemented in airports began.  During that initial time, flights were grounded throughout the United States.  As a result of this investigation, new rules and regulations were implemented such as no knives, box cutters and other sharp objects on planes or in airports, no more curbside or online check-in. Also, to pass through security to the boarding gate, a paper boarding pass was necessary.

About two months after September 11, 2001, the Transportation Security Administration (TSA) was formed.  It was originally under the United States Department of Transportation but then was moved to the Department of Homeland Security on November 25, 2002.

After the TSA was formed, it immediately ran background checks on the 75,000 airport employees, increased the police presence and screened all checked bags. The TSA took over bag screening duties in November 2002 from private companies contracted by the airlines after it was revealed that improper vetting of the employees resulted in the hiring of felons.

In addition to that, since the September 11th hijackers had used the airplanes as missiles, each passenger had to go through (depending on the airport) X-ray machines or walk through detectors, pat downs, and carry-on luggage searches. Each passenger was now required to possess a government issued photo ID as well as an airline paper ticket or E-ticket. Only passengers are allowed to go beyond the screening checkpoint to the gate.  Airport security after the September 11th hijackings had dramatically changed in the United States.

Cyber Security at Airports

After September 11, 2001, heightened attention to security became the new normal. Not only were passengers and baggage scrutinized but so was the computer network. With a lot of new technology to support the security of the airports, cyber-attacks became a part of the lexicon of the security professionals at airports in the United States and all over the world.

In the past 10 years, thousands of attacks have been documented against airport networks from viruses, to malware, botnets and Trojans by hackers and even possibly foreign governments such as North Korea. Security awareness in airports continues to need addressing to tackle the cyber security issues.

The lack of security awareness is best demonstrated by the example of the Chek Lap Kok airport in Hong Kong. The air traffic controller proudly stated that they have redundant systems, contingency plans and people making the final decisions. A system administrator for their 50 technical systems claimed that there is no risk of a cyber-attack as their network is a closed system and that it has no connection to the Internet or USB access. These claims were not entirely accurate. While those systems may not have direct access to the Internet, they did have an indirect connection through routers and those other systems that may have direct access to the Internet. Worms, viruses and botnets can still find their way to the semi-connected systems.

To illustrate the fallacy that closed systems are secure, look at the case in 2003 where Bank of America claiming that their ATMs were not connected to the Internet were still disabled by an Internet worm (Addison, 2010). The ATMs may have been in a Virtual LAN (VLAN) or in a different subnet, but they still are connected to a network with machines that did have direct access to the Internet.

In August 2012, a major international airport was found to be the target of a unique version of the Citadel trojan. A company called Trusteer uncovered the trojan targeting the virtual private network (VPN) used by employees. It was a man-in-the-browser attack that captured the VPN credentials of airport employees using screen capture and form-grabbing to steal usernames and passwords. After discovering the trojan, the airport was notified and VPN access was disabled.

Airports are constantly targeted. LAX (Los Angeles Airport) was targeted by hackers that tried 6,408 attempts to hack into a new file transfer server two days after it was deployed. Also at LAX, hacking attempts were blocked 2.9 million times in two days as well as 58,884 Internet policy violations were discovered.

South Korea’s Incheon International Airport was a possible target of North Korea when they became the focus of a distributed denial-of-service attack (DDoS). A man identified as Cho (now in police custody) met with agents of a North Korean trading company in Shenyang, China. Cho paid the agents to develop game software. They developed the game software with trojans and Cho knew that the software was infected. The games were sold to distributors who in turn sold them to end users. The end users computers became zombified computers that launched DDoS attacks to the airport.

Cyber-attacks against airports are a very serious problem. It can disrupt communications between the air traffic controller and the airplane.  Drug traffickers, terrorists and foreign governments can gather intelligence through a successful hacking attempt to create major problems.

Conclusion

Before September 11, 2001, security was not taken as seriously. Airlines ran the security lines sometimes with poorly trained contracting companies. It was done as cheaply as possible as the goal of the airlines were to move the passengers quickly in and out of the airport. Security was fragmented with communications between the FAA and the airlines poor and difficult to manage.

After September 11, 2001, security was beefed up. Airports and airlines became a major terrorist and hacking target. Airlines no longer ran security. TSA took over the security lines, luggage scanning, X-rays and behavior analysis of passengers. Airports continued with perimeter security and internal building security. Cyber security increased in importance. Protecting the computing assets of the airport will help increase the public’s appreciation for the overall security of the airport.

References are available upon request.

© 2015 Michael Carr

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.