securing e-business technology contributions to airline and transportation security william crowell...
TRANSCRIPT
Securing e-business
Technology Contributions to Airline and Transportation Security
William CrowellPresident and CEOCylink Corporation
Securing e-business
Critical Rules for What We Do Next
We have to make sure that we don’t fight the last war!
We have to increase the productivity of the entire system to compensate for new processes and increasing complexity and to encourage travel
We have to integrate proven technologies into complete solutions
We have to create real deterrence for people who are not easily deterred
Securing e-business
Outline of Presentation
• What are some of the Airline Business Needs?
• Vulnerability of Airline Business to Security Threats
• How Airlines Can Respond and Maintain Business Tempo
• Policy Issues
• Final Thoughts and Conclusions
Securing e-business
Some Airline Business Needs
Securing e-business
Some Business Forces Post 9/11• Demand for “Higher levels of Identification Verification” of airline and
airport personnel with attendant costs and complexity
• Increasing difficulties and costs of controlling restricted areas increases sophistication of attacks involving fraudulent credentials
• Mobility of airport and airline personnel increase need for wireless connectivity with attendant security risks
• Complete Luggage screening coverage and throughput challenges
• Passenger matching with luggage per flight.
• Threats to Information and Systems are multiplying and systems must be secure
Securing e-business
Candidate Technologies
• Access Control using strong authentication and Smart Cards to securely link authentication to computer and physical access systems
• 2D Barcodes with tracking information, biometrics and imbedded digital signatures
• Biometrics (including fingerprint, facial recognition, and iris matching)
• Wireless systems – particularly 802.11 and airborne data links
• Streaming video and audio surveillance data
• GPS and wireless tracking of vehicles within sensitive areas
• Programmable devices that allow the system to evolve with the threat
Securing e-business
Key Challenges
• Consistency across airlines and airports nationally and internationally
• FAA approvals and standards
• Interoperability throughout the transportation system
• Information sharing among transportation providers and law enforcement
• Policy and legal issues – especially privacy
Securing e-business
Vulnerability and Threats
Securing e-business
Domestic and International Communications Vulnerabilities
• Communications between New York and Philadelphia may pass through dozens of countries, over satellites, and through hundreds of infrastructure points
• Your information passes through a variety of organizations or communications providers and their wiring closets
• There are hundreds to thousands of points of vulnerabilities, most of which can make passwords, routing tables, network architecture and other attack information available
• Many parties have direct access to this valuable content that will weaken your network based systems and businesses
Securing e-business
Increased Vulnerability of Networked Systems• Widespread system vulnerabilities because of use of common
(open) technologies used in mission critical systems• Operating systems, routers, Telco switches
• Interdependent and interconnected infrastructures– Airline Business Transactions are now conducted over Public
Networks (e.g. reservations, E-Tickets, flight tracking, maintenance)
• Airlines connected to travel services, partners, and customers via the internet
• Global Communications• Geographic Isolation is no longer a consideration – there are
no oceans in cyberspace
Securing e-business
Sources of Vulnerability to Networked Systems• Operating Systems (NT, WIN2000, UNIX, LINUX)
• Management Systems (unencrypted SNMP)
• Applications (e-mail, TELNET FTP, HTTP)
• Modems (both front end and back end)
• Authentication Practices (passwords, tokens)
• Organizational Practices (No Security Policy, No Designated Security Officer)
• People– Insufficient User Training– Fragmented Access by Users to Security – Poor Security Administration and Management
Securing e-business
Vulnerabilities of Airline Operations
• Access to sensitive areas and aircraft
• Access to sensitive computer systems (operations, maintenance, ticket and boarding pass issuing systems)
• Defeating screening devices for luggage and people
• Defeating on-board defenses (crew, Sky Marshals, passengers)
Securing e-business
Some Viable Responses
Securing e-business
Changing Expectations• Yesterday: You Defined your Security & Trust
Requirements
• Today: FAA Dictates Your Security & Trust Requirements
• Tomorrow: Your Customers will Demand Efficient, Trusted and Secure System of Travel
Security becomes an Essential Marketing Tool
Risk Management will have to evaluate the value of Trust
Securing e-business
In Ideal World - Business Drives Security
You:
Define the Business Model that is good for your business
Define the Security Policies and practices that Support the Model
Obtain FAA approval or Certification
Implement Procedures for Supporting the Policies
Monitor the Procedures
Refine, Refine, Refine
Securing e-business
Airline Industry Responses to Security in Airports
• Increase security of Airline and Airport Personnel Identity Systems
• Increase efficiency and effectiveness of the passenger and luggage screening process.
• Match luggage to passengers
Securing e-business
Passenger ID – The Drivers License
• State Drivers Licenses are becoming increasingly sophisticated by incorporating identifying data into 2D Barcodes
• 900 - 2500 Bytes of data can be printed on the license, but current methods do not allow the verification of the information
• Incorporating a digital signature makes it possible to verify all of the data including a photograph
•Implementing such a system nationwide would make it possible to imbed photographs, and other identifying data into boarding passes and cross check other identification
2
Securing e-business
Passenger ID’s – Voluntary
• Passengers are concerned about the increase in time required to clear airport security checks in advance of travel – currently two hours and more.
• The cost of increased security stations to ease the backlog is high
• Opt-in passenger ID’s would allow faster processing and another cross check on drivers license
• The system can be flexible and adapt to changing needs
• It can be cross referenced to other ID’s
Securing e-business
Video, Audio and Data from Aircraft
– Wireless networks can be used to collect video, audio and avionics data in real time and to authenticate and stream the encrypted data to the ground
– The data can also be streamed to Sky Marshals on board
– Panic buttons can alert crew members and the ground of pending dangers
– The data is available for forensic investigation immediately
Securing e-business
Policy Implications of Security Technology
Securing e-business
Some Important Issues Regarding Security Technology• The Big Issue: Privacy• Business use of encryption: Who owns the Keys?• Digital Certificates (PKI)
• One or Many?• Who is liable?
• Digital Identification• How good is good enough?• Who is liable for mistakes – false positives/negatives
• Technology vs. solutions
Securing e-business
Privacy Issues• Central Issue: How can biometric information be
used?
• When it is collected (e.g. in a public place)?
• After it is collected?
• How can identity information be used by the government and by private industry?
• How do we prevent identity theft?
Securing e-business
Final Thoughts and Conclusions
Securing e-business
Some Final Thoughts: Trends in Security Needs
• The New Environment Will Demand Even Stronger Security
• Consider the following trends…
• Key Services Outsourcing = more vulnerability
• Growth in Network based processes using multiple communications protocols including the Internet
• Consolidation of Critical Processes
• Consolidation of Information
• Proliferation and wide availability of Attack Tools
Securing e-business
Security Requires Defense in Depth• Strong, Robust Security Requires Defense in Depth
• If One Line of Defense Fails, other Lines can Take Over
• Two scenarios (Either is compelling):• Contains a Breach• Provides a Safe Environment for:
• Maintenance• Support of Legacy (old) Services• Deployment of New Services
• Secure the Process, the Network as well as the Application with both encryption and authentication
Securing e-business
Security Management• Security management is the #1 contributor to breakdown in
security effectiveness
• Functions:• Authentication of the Security Devices and Systems• Expression and Distribution of Security Policy• Monitoring and Auditing
• Separation of Security and Other Types of Management• Security Features Interact with other Features• Important to Support this Interaction, yet Protect
Security Management
Securing e-business
Conclusions
• Security is an absolute must for new situation of airline industry
• Security should be a business enabler rather than an impediment – technology can help
• Properly used security Increases the value of service and confidence of travelers
• Strong Encryption and Authentication are essential ways to combine strength, ease of use, & low cost of ownership