Home' RTCA Documents for Review : DO-230H FRAC Contents 281
©2017 RTCA, Inc.
Physical Control. Monitor and control the telecommunications rooms where equipment and
infrastructure is located. Use access control systems to secured areas critical to the airport network.
NIST has released guidelines for critical infrastructure industries on how to protect company systems from
destructive attacks that could knock out electricity or halt transportation. These voluntary guidelines focus
on the executive management of large enterprises, where support (including financial resources) will be
required for IT managers to strengthen network security.
The NIST plan includes an information flow chart with five “functions” – factors that affect companies’
vulnerability levels, including the degree to which firms know, prevent, detect, respond, and recover from
threats. Each function includes sub-factors such as contingency planning for the recover category. Each of
the five factors is broken down by job position: senior leader, business process manager and operations
manager. Such guidance is a good starting place for airport managers to implement cyber security measures.
NIST Special Publications (SPs) and guides for cyber security measures include:
800-55, Security Metrics Guide for IT Systems for system-level and program-level applications.
800-82, Guide to Industrial Control System (ICS) Security describes how to secure multiple types
of Industrial Control Systems against cyber attacks while considering the performance, reliability
and safety requirements specific to ICS.
800-100, Information Security Handbook: A Guide for Managers includes laws and regulations
such as the Federal Information Security Management Act (FISMA).
There is substantial press coverage of cybersecurity issues, primarily dealing with security breaches of
personal data from internet commerce sites and “brick and mortar” retail stores of credit card data. While
these issues may not initially appear to have anything in common with IASS and other mission critical
airport data systems (even excluding airline reservation and financial data systems) even a cursory analysis
will show that they are not. A simple example is the recent attack on POS (point of sale, or cash register
systems) at national retailer. The remote login credentials of a Maintenance vendor were hacked, giving
the attacker access to a single store’s control network. However, the network and the POS network were
connected, giving the attacker access to POS systems throughout the company, and allowing the theft of
millions of credit card numbers and customer personal data. One can easily imagine a similar attack through
remote maintenance access portals on the IASS and any number of critical airport data systems.
Cybersecurity solutions are highly complex and a discussion of best practices or recommended approaches
is well beyond the scope of this document. This is intended as an introductory primer on cybersecurity
issues which can serve as basis of discussion among security and IT personnel, the IASS design consultant,
airport stakeholders, and airport management to determine the correct approach for each airport.
Vendors are rapidly promoting cybersecurity solutions, but it is important to note that they are aimed at the
business enterprise market, protecting the desktops and servers that sit on our desks and support our daily
business. These are very different in architecture and data flow from our IASS which are in the category of
Industrial Control Systems (ICS). Here are just a few examples:
Business enterprise networks are constantly changing from a hardware point of view, as user
workstations or added and deleted, servers are upgraded, mobile devices connect and disconnect
constantly. By contrast, Airport ICS networks are relatively static as devices are often added only
as a result of building (in our case airport facilities) expansion, renovation and addition.
Business enterprise networks exchange millions of files within the network, and with the world
outside the network, especially via the open internet in the form of emails, web pages, application
files (Word, Excel, PDF), photos, movies, music, voice (Skype), instant messages using any
number of protocols and file formats. By contrast, Airport ICS are much more stagnant, exchanging
data traffic in a very limited number of protocols and few if any files among network connected
Links Archive Navigation Previous Page Next Page