1

I am trying to figure out how to detect potential threats from malwares in various systems installed in the airport.

To be specific, my focus is on the following systems in airports:

  1. Baggage Handling System (BHS)
  2. X-ray machines
  3. CCTV
  4. Building Management System (BMS)
  5. Airport Operating System (AOS)
  6. Human Resource Management System (HRMS)

Now, my objective is to determine some KPIs/metrics for each of the systems that need to be tracked in order to understand whether any potential cyber-attack is imminent.

I tried Googling a lot, but not able to find anything specific on what exactly my KPIs should be. Any kind of help would be appreciated.

SamRoy
  • 111
  • 2
  • This seems like a homework question. It's a great homework question, but you need to attempt to answer it yourself. The reason I think this is not a real situation is because airports globally have well-established protocols, guides, and standards for all these things. You'll look awesome to your instructors if you look up those guides. – schroeder Nov 06 '19 at 19:27
  • Also, there are books written on how to formulate security KPIs. Look those up, too. – schroeder Nov 06 '19 at 19:28
  • It's not a homework question. I am trying to understand this for some office related work. – SamRoy Nov 06 '19 at 22:27
  • if you work for an Airport, there will be standards in your country that you should investigate. – schroeder Nov 06 '19 at 22:36

1 Answers1

2

You can't really know whether an attack is imminent. All you can do is try to identify what the security posture of the systems is, and what resources, processes, and procedures you have in place in order to identify and respond to security incidents that affect those systems.

If you really need to boil it down to KPIs, here's what I would try to quantify for each of the devices/systems in question:

  • How long has it been since this system received updates/patches?
  • When was this system last covered by a penetration test?
  • Does the system have any known issues that are documented in your risk register? How many? Of what severity / CVSS scores?
  • When was the last network security architecture review that covered the network segment(s) that the system is connected to?
  • Is this system in your asset management database and is the information up to date, including contact information about key stakeholders and maintainers?
  • Do you know where this device physically is? Do you know what the physical access controls are for that location? Can you easily identify who has access to, and who has recently accessed, that area?
  • Do you have a documented threat model that encompasses this system?
  • Do you have visibility of this system within your SIEM? If you make changes to a critical system without the proper procedures, does your SOC notice?
  • Do you have specific guidance relating to this system within a security incident response playbook? If that system were to be hit by ransomware, for example, do you have a predefined set of steps to follow in order to handle that incident? Can you recover?
  • Are there any regulatory requirements relating to this system? Are they being properly considered as part of your security testing process?
  • Could a breach of this system lead to a safety hazard? If so, what compensating measures do you have to help minimise the risk and impact?

And more generally as an organisation:

  • When did you last test the responsiveness of your security monitoring and security team? e.g. with a red team exercise.
  • Do you have a plan in place for the eventuality of several of your infosec team being unavailable (e.g. due to illness) during a security incident? Are others trained to use your security incident response playbooks? Do they have the necessary access to perform the steps within them?
  • When was the last time you had a comprehensive review of all of your security documentation?
  • Do you train your staff on how to handle phishing attacks? Do you send phishing emails to test them?

The more of these you can answer in a positive manner, the better. But don't just answer off the cuff based on your own personal memory of your organisation's security activities. Check that the documents you think exist, do exist, are up-to-date, and are known about by your staff. Verify that the procedures work as you expect them to. Run mock incident exercises. Where you have answered no to a question, or where you find deficiencies as part of your review, ensure that you put together a list of things that need further attention.

Finally, the key part: you can't just do this once. You need to go through and do this annually, at least.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • These are all great questions to ask, and should be asked, but they are not KPIs or metrics (most are not even measures). You've got compliance items, maturity posture items, governance and audit questions, and high-level security management questions. – schroeder Nov 06 '19 at 19:35
  • @schroeder While the answer does give me some idea about how these things should be dealt with, you are right to mention that they are not actually KPIs. I am looking for something like "the number of attempts from a particular IP address trying to access the network in last 24 hours"(very roughly saying). Any answer of this type would be appreciated. – SamRoy Nov 06 '19 at 22:33
  • I think you need to understand security kpis in general. I really think you need to pick up one of the many texts on the subject. We can't bring you up to speed on a Q&A site – schroeder Nov 06 '19 at 22:35
  • Understood. I will look for some materials online. – SamRoy Nov 06 '19 at 22:38
  • @schroeder My apologies, it seems that OP was looking for some sort of network metric that somehow indicates that a breach is in progress, rather than indicators of the capability and performance of their organisational security in respect to key systems. I definitely agree that "breach imminent" metrics aren't something that can be conveniently described in a Q&A environment. – Polynomial Nov 06 '19 at 23:15
  • @Polynomial no worries. It's a great set. I work with an airport and I know the types of resources and standards they are held to, and you've covered a lot of it. – schroeder Nov 06 '19 at 23:22