How the Chicago Airports Were Hacked

Aircraft Flight Disturbance

Internal Memo:

Lessons Learned From September 26th O'Hare International Airport Incident

Senior Management

Recommendations to Avert Widespread Flight Disturbances

On September 26th, 2014, both O'Hare and Midway airports experienced a day-long disruption of operations that led to over 2,000 flights being cancelled and the entire nation affected by the disruption of operations. An employee with psychological problems intent on killing himself started a fire in the basement telecommunications room of the Aurora, Illinois control center, then attempted to slit his throat. After posting his suicide note on Facebook, relatives called 911 and both his life and the control center were saved. The fire damaged the most critical areas of the IT infrastructure for air traffic control for both the O'Hare and Midway airports, forcing air traffic control locations in adjacent states to take on one of the busiest areas of the country for air travel. The lack of IT controls in place made this situation particularly treacherous and very dangerous for the thousands of inbound and outbou7nd flights, and left tens of thousands stranded overnight not only in the Chicago area, but in adjacent airports as well. With a more effective IT systems analysis plan the entire situation could have been averted.

Information Systems Analysis and Recommendations

The incidents on September 26th, 2014 underscore one of the most fundamental precepts that enterprise-wide IT security strategies need to focus first, which is screening, precise role definition and management of key staff who manage large-scale IT data centers and systems (Crockett, 1988). For a single employee to gain access to the most critical systems for the air traffic centers serving O'Hare and Midway airports, it's clear there was no role-based access definitions, in addition to any constraints on key IT asset access as well. These two elements of role-based access definitions and constraints on key IT asset access are foundational to effective enterprise security management initiatives (Lynch, 2006). Best practices for ensuring mission critical information systems aren't impacted by acts like these need to increasingly include advanced safeguards including biometrics to both audit and restrict access to such critical IT assets (Deane, Barrelle, Henderson, Mahar, 1995). To ensure that these systems that are essential for routing traffic through O'Hare and Midway aren't impacted by an internal attack it is imperative that the Chicago Airport Authority restrict access to only those areas of the buildings in Aurora and other locations that need maintenance (Lynch, 2006). Taking away the potential for an arsonist event or any other type of sabotage needs to also begin with a focused series of strategies to limit just how much access any one person has to the systems operating the airport. By enforcing more of a role-based, maintenance-only series of system access scenarios could have alleviated the Chicago air traffic control systems being compromised. The bottom line is that the event correlation of having no role- and maintenance-based access workflows and constraints by each member of the staff defined left the most critical systems completely unprotected and vulnerable to attack.

The IS and IT personnel can mitigate the disruption of service by first having a clearer definition of role-based access and auditing to ensure no single person can take down the entire complex of air traffic control system. Security zones need to be created and enforced around each specific mission-critical system for an enterprise-wide security strategy to succeed (Pinta, 2011).

The Chicago Airport Authority needs to create a more integrative approach to system fail-over and continuity through the use of real-time system failovers (Menkus, 1994). Given Chicago's location in one of the more severe weather locations in the U.S., investing in a fault-redundant backup and real-time backup systems enterprise-wide would be a good investment. Instead of just taking an IT system-only view of the compromised systems, The Chicago Airport Authority needs to concentrate more on creating an overarching Business Recovery Plan (BRP) that includes a clear definition of roles and responsibilities by team, clear lines of authority also to who runs each time, and a very specific set of recommendations and procedures for managing emergency situations. Finally the BPR needs to concentrate on how to ensure the highest quality and fidelity of air traffic service possible. Orchestrating all of these factors together requires a comprehensive, well defined Business Recovery Plan that includes workflows that anticipate and plan for the complexity of emergency situations of any kind that could impact overall air traffic control network performance.