Louisville Regional Airport Authority Survives Cyberattack Unscathed

Louisville Regional Airport Authority Survives Cyberattack Unscathed
Author: 
Victoria Soukup
Published in: 
January-February
2020

Last spring, David Prince was enjoying a Sunday afternoon barbecue with his family when he received a troubling phone call from work. Employees at Louisville Regional Airport Authority were suddenly unable to open shared files.

Prince, the airport authority’s information technology director, soon suspected that something was not right. “I called my network and systems manager, and we both went to the airport immediately,” he recalls.

They quickly realized that file shares had been corrupted with ransomware, and hackers were demanding an amount of bitcoin equivalent to about $22,000. Fortunately, only administrative files at the airport authority were involved. No files were affected at the two Kentucky airports it governs: Louisville Muhammad Ali International Airport (SDF) and Bowman Field (LOU). 

facts&figures 

Project: Cybersecurity

Locations: Louisville (KY) Muhammad Ali Int’l Airport; Bowman Field

Owner/Operator: Louisville Regional Airport Authority 

Catalyst: Ransomware attack in May 2019

Ransom: Approx. $22,000, demanded in bitcoin

Outcomes: Airport operations were not affected due to strong backup systems, firewalls & network fragmentation; breach was limited to non-critical airport authority files; airport authority did not pay ransom 

Follow-Up Action: Authority upgraded security measures to provide protection from current & future threats

Although the situation was quickly resolved, it reemphasized the critical importance of having regular cybersecurity training for employees and automatic system backups.  

“I was very pleased with the response of our IT Department when this incident occurred,” says Dan Mann, the airport authority’s executive director. “While we are not yet perfect, the process we had in place worked, and we were able to contain the issue relatively quickly to avoid any major disruptions.”  

Pinpointing the Problem

After arriving at the airport, the IT specialists determined that the problematic files appeared to be coming from one source. “Once we found that computer, we took it off the network to halt the corruption from going any further,” says Prince. “At that point, we began the restore process.”

That involved deleting the corrupt files and returning to the latest system backup, which took place the evening before. The process took 10 to 12 hours. 

“We stopped it from spreading any further,” Prince relates. “But realistically, there wasn’t much further it could have gone, since we had firewalls and network segmentation in place. Once the attack began, it was isolated to just that file share environment.”

The team used a triage approach for file restoration. “We sent an email to staff asking them to let us know if they were working on something important, and we restored those files first,” Prince explains. “Then we worked on all the general files.”

Fortunately, only non-critical airport authority files were affected—newsletters, historical data, administrative documents and Excel spreadsheets. Personnel information and airport operations data were not breached; neither airport’s aircraft operations were affected.

“We went through evaluations with our compliance team and were assured that private employee information was not obtained,” says Prince. 

The ransomware included a bitcoin demand equivalent to about $22,000 at the time. “We did not pay the ransom,” Prince reports. “We had a strong backup system in place, so we did not need to pay the ransom to have them decrypt the files—which is what they were after. If we didn’t have the backup in place and needed the files, then realistically the only option we would have had was to pay the ransom. But due to those backups in place, we didn’t have to and just ignored that request.”

An Ounce of Prevention…

While Prince didn’t give specifics about what started the airport authority’s ransomware problem, the most common trigger is someone opening an unsafe email attachment.

More specifically, he notes that security software can usually stop a virus, and viruses don’t branch out as badly as ransomware does. “With ransomware, there are untold millions of strains out there. A business falls under attack every 14 seconds,” he warns. “And when bad actors are moving that fast, there are going to be threats that are not in your software protection just yet.”

The IT Department’s system of daily backups proved highly valuable for the Louisville Regional Airport Authority. “Backups are your best friend in these events,” Prince emphasizes. “That is what saved us from having to pay the ransom.”

Establishing and teaching best practices for computer usage are also crucial, he adds. Airport employees should be trained about cybersecurity the same way tug and baggage cart drivers are trained about ramp safety. “Many people are on their computers for the bulk of the work day. Sometimes things get routine and employees need a refresher.”

Airport security is no longer limited to TSA checkpoints and perimeter fencing, Prince observes. “Going back in time, the classic focus was on physical security: Who is coming in your door? Who is actually here in person?” he says. “In the past, if you wanted to break in somewhere, you’d have to get in your car, drive somewhere and then break in.” 

“But the landscape has changed,” he continues. “There are more remote workers now. Paperwork and secure files have moved from file cabinets to file servers. And almost everything we have connects to the Internet in one way or another. While that benefits us in our day-to-day lives and jobs, it also leaves our personal and business information more exposed than ever.”

These days, cybercriminals can mount attacks from their basements, using readily available tools. “It’s a new battle now,” Prince muses. “They can have ransomware up and running in a matter of minutes. They don’t have to get out of their chair to do something like this.”

Upgraded Protection

After restoring all the data and ensuring safety networks were in place, Prince and his team reviewed the airport authority’s cybersecurity system. They added new software and subscription services that allow the organization and its airports to stay more protected from emerging online threats. Prince declined to say what specific products were implemented.

“The ones we selected are good,” he remarks. “Such products offer similar functions, but a better vision and are more innovative about staying up-to-date with the changing landscape of cybersecurity and ransomware threats.”

Prince encourages airports to fully leverage the cybersecurity measures used in the business sector, including software upgrades, replacement plans, backup strategies, user awareness training and disaster recovery plans. “Once those things are in place, they should be reviewed yearly, if not more frequently, because technology changes in the blink of an eye.”

As an airport authority executive, Mann agrees about the importance of prevention. That said, he notes that both Louisville airports learned from the incident last spring and now have even stronger security measures in place. “It’s very telling that our world of security now goes beyond a fence line or physical barrier, and it’s crucial we are proactive and prepared to protect ourselves,” says Mann. “The internal reviews and improvements our team did afterward will help us be better prepared should we be faced with any future incidents.” 

Subcategory: 
IT/Communications

FREE Whitepaper

PAVIX: Proven Winner for All Airport Concrete Infrastructure


PAVIX: Proven Winner for All Airport Concrete Infrastructure

International Chem-Crete Corporation (ICC) manufactures and sells PAVIX, a unique line of crystalline waterproofing products that penetrate into the surface of cured concrete to fill and seal pores and capillary voids, creating a long lasting protective zone within the concrete substrate.

Once concrete is treated, water is prevented from penetrating through this protective zone and causing associated damage, such as freeze-thaw cracking, reinforcing steel corrosion, chloride ion penetration, and ASR related cracking.

This white paper discusses how the PAVIX CCC100 technolgy works and its applications.

 

 

Featured Video

Featured Video




# # #
 

# # #