Tulsa Int'l Performs Cybersecurity Audits

Victoria Soukup
Published in: 

As director of Information Technology at Tulsa International Airport (TUL), James Rockholt knows a thing or two about cybersecurity. It's what he doesn't know that keeps him awake at night.

The scope of potential problems that fall under his domain is mindboggling, ranging from inside threats mounted by disgruntled employees or tenants to attacks from outside forces such as professional cyber criminals, politically motivated attackers (hacktivists), state-sponsored aggressors from foreign countries, "script kiddies," and even customers passing through the terminal. 

While large airports devote entire teams and six-figure budgets to cybersecurity, TUL's Information Technology team has nine people and a budget that reflects its 1.4 million annual enplanements-in other words, lean on both fronts. Yet every time Rockholt attends an industry conference or participates in a webinar, he hears the same dire warning: Cybersecurity protection is critical for airports.

Project: Assessing & Enhancing Cybersecurity 
Location: Tulsa (OK) Int'l Airport 
Consulting Firm: Burns & McDonnell
Strategy: Assess current systems & identify areas for improvement 
Cost: Not disclosed
Timeframe: Two 2-week reviews, each with 1 week of on-site assessment
Standards Used: Nat'l Institute of Standards and Technology Cybersecurity Framework; SANS Institute Center for Internet Security Critical Security Controls
Project Scope: External network attack surface analysis & vulnerability scan; internal network security assessment; phishing simulation; network device configuration reviews 

"A breach in our safety and security systems could cause delays or diversions, which create a significant financial impact for our airlines, other tenants and passengers," he relates. "No one in my position wants to explain to their governing body [that] flights were canceled because we failed in our cybersecurity duties."

Airports are essentially landlords for tenants that work with a myriad of federal agencies to promote a safe and efficient environment, he adds. 

Faced with the challenge of defending TUL against an intimidating volume and variety of cyber threats, Rockholt consulted Stuart Garrett of Burns & McDonnell about where to start. A former firewall administrator himself, Garrett firmly believes that cybersecurity is within the financial reach of all airports, not just large hubs. 

The airport ended up hiring Burns & McDonnell for outside counsel, and the Kansas City-based firm assessed TUL's network devices and business network last year. Much to Rockholt's relief, no major flaws were detected. Consultants did, however, identify areas where the airport could improve its defenses.

"When new technology would come online, we didn't always think about cybersecurity; but we do now," comments Mark VanLoh, the airport's chief executive officer. "The assessments helped us learn about a lot of things we didn't know about or maybe didn't want to think about. We were shown what we needed to do to prepare for the future."

Inherent Challenges
As adversaries continue to target public and private computer networks, cybersecurity is more important than ever-especially for airports and other vital components of national infrastructure. Airports make compelling targets that are particularly challenging to secure, warns Garrett. Multiple stakeholders operating networked computer systems and a variety of governance models compound the complexity, he adds. Malicious disruption to any individual system (baggage, security, passenger processing, public Wi-Fi, parking, etc.) can compromise operations of another-or possibly the entire airport. 

Assessing and improving cybersecurity, however, is unlike traditional infrastructure projects such as runway renovations or terminal expansions. "Airports are very comfortable with capital projects that have specific starting and ending points," Garrett explains. "These discrete projects-with design and construction followed by a grand opening and a subsequent lifespan of 20 to 30 years or more-are distinctly different from cybersecurity. Cybersecurity is very much an ongoing process. You can never let your guard down; you can never stop thinking of it; and you never finish the project. That is vastly different from other types of airport projects that engineers, planners, information technology leaders, staff and executives are comfortable with."

Garrett stresses the importance of aspects beyond design and delivery: "Cybersecurity must be considered in other realms such as employee training, risk management review, system integration, commissioning, software patch management and budgets."

Further complicating matters is the lack of a definitive guidebook or, as Garrett calls it, a "Betty Crocker recipe" to follow for securing airport computing environments. "An airport has airlines with their computers on the campus, plus baggage handling systems, fueling consortiums, retailers and vendors, concessionaires and parking revenue managers, ground handlers, common-use suppliers, security and public safety organizations," he relates. "And then you have passengers connected to public Wi-Fi with smartphones, tablets and wearables, and also employee devices. The enormity of the task quickly becomes apparent. Securing an airport is very difficult because no one enterprise runs the computing environment."

Even before TUL's recent assessments, Rockholt was well aware of potential implications from cyber attacks: credit card fraud, financial embezzlement, theft of personnel data, physical security breaches, ransomware, etc. In July, hackers took control of the flight information display screens and sound systems at two Vietnamese airports and used them to broadcast political statements. The website of Vietnam Airlines was also compromised at the same time. For hours, airport staff had to check in passengers manually in order to avoid any computer connections. 

"It's very hard to predict exactly what malicious people want to get their hands on," muses Garrett. "But airports are targets, whether they want to admit it or not." 

Assessing Risk 
TUL underwent two separate audits by Burns & McDonnell, each lasting two weeks. The firm's cybersecurity team began with an initial onsite assessment in early 2016, and then returned at the end of the year to perform a more in-depth review. During the visits, personnel used National Institute of Standards and Technology (NIST) criteria and 20 critical controls. 

Rockholt notes that the first assessment concentrated on TUL's firewall, because that's the point that connects with the Internet and can open doors from the outside. "Most attacks are going to come from an external source, perhaps an outside organization or another country. And the firewall is what they are going to target," he explains. 

The second audit assessed the airport's Wi-Fi system and phishing activity with employee email. "We had scans of all Wi-Fi signals on and around airport property to create a baseline and see if something exists that should not exist," Rockholt says. "The assessments even helped some of the airport tenants. We were able to make recommendations on ways to better protect their networks."

Burns & McDonnell also reviewed the airport's intrusion protection systems and network switches. While the airport's cybersecurity posture had no critical vulnerabilities, the firm recommended configuration and ruleset changes to further optimize and reduce its cyber attack surface. Because each Internet connection uses a different port, the team recommended that TUL change some of its connectivity ports, alter some configurations, and shut down certain ports. 

A final report outlined the results of network scans and presented a list of found hosts for TUL to compare with its own list of known devices. 

Per the firm's advice, the airport subsequently deployed an intrusion detection system to provide added protection against outside attacks. "Our firewall now blocks several thousands of attempted connections from all over the world," Rockholt reports. "Many of those are coming from China and Russia." 

Although TUL declined to share how much it spent on the audits, Rockholt addressed the budget implications for some of the follow-ups: "Many of the recommendations from the assessments only cost our group time and consisted of making configuration changes to the firewall and other IT infrastructure that would make them harder to breach."

Employee education was another important part of Burns & McDonnell's work at TUL. To alert airport personnel about the danger of phishing, consultants sent fraudulent emails to all employees from a fake email address. Anyone who clicked on the link inside the email was immediately directed to a website with tips about detecting phishing emails in the future. 

"We were trying to get the user to click on a link and, in some instances, see if they would put their username and password in a form that loaded up," explains Rockholt, noting that the username and password would register as being entered, but the form would not store the password. 

Support From the C-Suite 
Both Rockholt and Garrett emphasize that prioritizing cybersecurity must start at the executive level and permeate the entire airport. A successful program also requires budgetary support and autonomy for IT staff to make decisions, they add. 

Moreover, it needs to be approached in a comprehensive, airport-wide manner. Rockholt cites facility systems as an instructive example: In the past, HVAC and fire alarm systems were implemented by employees from the Facilities Department without IT support. As technology progressed, the systems started including remote diagnostics and the ability to send email alerts about changes or problems. While such advancements can help reduce cost and improve service, they also require IT networking infrastructure, desktop computers and possibly mobile tablets. "Once that comes into play, it creates a vulnerability," Rockholt explains. "Threats can enter the airport through the HVAC system. In this day and age, if there's Internet connectivity, IT has to be involved in it. Everything is connected in some capacity. The more connections that make people's lives easier, the more vulnerable these connections become."

Baggage systems and overall security are other key areas, and Rockholt is consequently considering additional system-specific cybersecurity assessments. He is particularly wary regarding the data collected about airport employees during the badging process: Social Security numbers, fingerprints, information from background checks. "All that data is kept and needs to be protected," Rockholt says. "It is a hot target for someone wanting to create fake identities."

The new bottom line at TUL is that all systems with internal or external connectivity need to be scrutinized. "Sometimes these connections are set up by people who are brilliant with how HVACs and other such systems work, but they don't have a complete understanding of the risks these connections pose nor the technical knowledge to mitigate these risks. To make matters worse, sometimes IT groups aren't brought in until the project decisions are made or are not consulted at all."

VanLoh says that keeping IT informed about airport projects is critical to cybersecurity and something he fully supports: "Every time we purchase something, whether it's a weather station in the middle of the airfield or a new radio system, IT has to be aware of it, test it and make sure it's a closed system."

No Airport is Immune
Garrett stresses that cybersecurity is important for airports of all sizes. "It is within their reach to have the essential assessments conducted to fill any potential gaps toward a comprehensive roadmap and strategy," he says. 

Undergoing an assessment conducted by experienced cyber consultants is valuable for smaller airports because they don't always have IT staff to do it themselves, notes VanLoh. "Get a consultant on board as soon as you can," he advises. "At least do an assessment to see the condition of your system. It will cost you much more in the long run than if you don't do it."

Not everything needs to be high-tech, adds Garrett, stressing the importance of "softer" elements such as policies and employee training. 

Even geography and cultural attitudes come into play. "So many of us in the Midwest think that bad guys and terrorists probably won't come here and disrupt our operations, and that may be true," VanLoh reflects. "But more importantly, it's easy for someone to sit in a basement in China and hack into our system through the back door and shut the runway lights off in the middle of the night or turn up the AC. Things like that, which would disrupt our operation, are more commonplace in the future than anything else, and that's what's frightening."

According to Rockholt, assessments are just the beginning of keeping an airport safe; and he is pleased that TUL has started the process toward cybersecurity. "Nearly everything is impacted by technology in some capacity," he muses. "While the efficacy gained is amazing, technology also creates the possibility that anything that touches technology is vulnerable in some capacity. Knowing that the best reasonable efforts are continuously being taken to protect your data and infrastructure can certainly help those responsible for running the airport sleep better at night."


ACC: Rethinking Airport Resiliency in the Aftermath of COVID-19

Rethinking Airport Resiliency in the Aftermath of COVID-19

Amid the COVID-19 pandemic, airports and their stakeholders are managing disruption unlike any previously experienced in the modern world. With an unprecedented decrease in aircraft and passenger traffic, growing economic stress, and further uncertainty ahead, airports require resilient financial and operational planning to ride out COVID-19 and to plan for the post-pandemic future.

Survival for airports requires re-prioritizing previously identified plans, exploring new ways to operate and fund airport operations, and learning from past experiences to improve an airport’s ability to succeed in the future. This guidance provides direction for airport operators and consultants, including planners and emergency management staff, on how airports can enhance resilience to weather the COVID-19 pandemic and prepare for future disruptions ahead.


Featured Video

Featured Video

# # #

# # #