Managing Third-Party Cyber Risk at Airports

Airports must ensure the safety and security of passengers and employees as well as the continuous operation of their critical infrastructure. Cybersecurity incidents and cyber risk pose significant challenges to that goal. In 2019 alone, over 20 municipal governments and a number of major airports in the US have been hit with cyber attacks. These incidents disrupt services and have the potential to put lives at risk.

It is vitally important that airports appropriately manage risk in their environment. From assessments to business continuity plans, there are a number of steps that can be taken internally to appropriately handle risk. But what about third-party vendors? While an airport can work hard to manage risk, if a single vendor has a data breach or is a victim of a cyber attack, the effects of that incident can quickly spread to any organization they support.

Supply chain integrity and third-party vendor risk management is essential to an information security and cyber risk program for any airport. A 2018 study by the Ponemon Institute revealed that 56% of organizations have experienced a breach directly caused by one of their vendors. As an example, the major data breach at Target in 2014 was caused by a breach at one of their HVAC vendors.

Managing Third-Party Vendor Risk and Supply Chain Integrity

Airports engage in a significant amount of outsourcing and managed services to meet their needs. From master planning to vertical construction to IT systems, there are a myriad of services and systems that are handed off to vendors for management and completion. Each time an airport adds new systems or obtains new services the organizational risk profile changes. When those systems or services come from a third-party vendor, airports assume the risks brought on by that third-party.

For instance, an airport is considering a new FIDS system from a vendor. Has the vendor developed their product using SDLC and the STRIDE methodology? Are endpoint systems patched and what is the patching schedule? If the service is in the cloud, what is the security offered by the provider? Is data encrypted both at rest and in motion? How long is PII handled for, if at all? Does the vendor have a risk management plan? How does the vendor handle our infrastructure drawings and other SSI? These and countless other questions strike at the heart of managing cyber risk by way of verifiable standards.

Airports should confirm that their vendors manage cybersecurity and cyber risk to an appropriate level. To that end, they can use contracts as an enforcement vehicle. In the case of the FIDS vendor, an airport could require that all bidders have an updated ISO 27001:2013 certification or require SOC II or SOC Cybersecurity attestation before the contract conforms. It is also crucial that airports update their internal ISMS to account for the new assets, risks, threats, continuity requirements, and disaster recovery needs.

Vendors can increase their trustworthiness and reduce potential liability by proactively managing cyber risk. The ISO 27001:2013 certification and the SOC II and SOC Cybersecurity attestation processes can seem burdensome, however significant value is generated with the certification and with the reduced risks. Airports see a certified or attested company as trustworthy and diligent, even more so when others within a space do not have those credentials. If a cybersecurity incident should arise, managing risk and creating a true ISMS will show that a vendor has acted in good faith, with due diligence and due care in the situation.

It Takes Two to Tango

Airports and the vendors that serve them have a responsibility to ensure safe and secure operations for all stakeholders. Cybersecurity incidents pose a real danger to safe and secure operation of critical infrastructure. Airports and vendors can manage cyber risk by maintaining internal cybersecurity and cyber risk programs that are continually updated and audited. Vendors can demonstrate due diligence and due care through the certification and attestation processes, and airport can do the same by requiring and verifying those credentials.

Our Services

Cyprus Lake assists airports and their vendors to certify that cybersecurity and cyber risk are being adequately managed. For airport vendors, we provide certification preparation and internal auditing services for ISO 27001:2013 and SSAE18 as well as preparation for SOC II and SOC Cybersecurity audits and attestation. For airports, we can help manage internal risk through NIST 800-30, NIST 800-53v4, NIST Cybersecurity Framework, CIS CSC, and ISO 27001:2013 preparation and remediation as well as with advisory services on contract engagements to ensure third-party compliance and attestation.

If you would like more information regarding our services, please contact us at (267) 888-8022 or email us at info@cypruslake.com.

 

Ransomware at Louisville Regional Airport Authority

Airports were once again subject to ransomware attacks this week as the Louisville Regional Airport Authority (the managing entity for Louisville Muhammad Ali International Airport and Bowman Field) fell victim. The good news in this case is that the attack was isolated, the issue contained, and data restored. Hats off to the team at LRAA for their work! You can read more about this story in the Courier Journal.

As we’ve seen with Cleveland, Atlanta, Bristol, and countless others, airports have become a major target for cyberattack. Not only that, over twenty US municipalities have been caught in similar situations, leading to loss of services and discontinuity of operations. Since over 70% of airports in the US are owned and operated by municipalities, we can expect to see more incidents sooner rather than later.

The LRAA incident shows that there are strategies that can help mitigate the risk associated with these types of incidents. In their case, isolation and reaction time was key: while the event did occur, their teams were able to maintain business operations and restore key systems in an effective manner.

Cybersecurity incidents will happen: it’s only a matter of time. This includes cities, airports, and private companies. What matters is proper assessments, planning, controls, and response plans are in place so that business can continue to operate and there is no risk to the safety of customers and citizens. Unfortunately, without proper plans in place, it’s only a matter of time until incident negatively affects safety. It is imperative that organizations and governments dedicate time to putting plans and measures in place to prevent that from happening.

 

Ransomware in Baltimore, Cybersecurity, and Municipal Governments

Once again, a major US city has been hit with a ransomware attack that has affected critical city services. On May 7th, the City of Baltimore fell victim to the same affliction as twenty other municipalities this year. A recent article in Vox details the events, however nothing in the scheme is very surprising.

Municipal governments face a daunting task: provide quality services to citizens and, at the same time, be stewards of the revenue they receive. Oftentimes glaring issues, such as lack of cybersecurity controls and risk management, are missed because there are other critical matters that must be attended to or the leadership in municipalities have not been aware of the severe implications that result when these key areas are overlooked.

The federal government has many focused programs on cybersecurity, however this focus can be attributed to their role in protecting our national assets, interests, and borders. As the problems get more local, physical infrastructure and service quality matters more to local leaders as citizens, rightfully so, expect them to. To that end, there are no sweeping federal regulations requiring all the various political subdivisions to comply with standard cybersecurity controls, business continuity plans, disaster recovery plans, or other related systems to help recover from these incidents.

It is imperative that political leaders and municipal mangers take heed of the recent history of ransomware attacks, data breaches, and infrastructure attacks and incorporate sound cybersecurity practices as part of their budgets and business. While the issues as of late have been more annoying than serious, it is a matter of time before one of these incidents leads to loss of life or long-term damage to critical infrastructure.