The insider threat in aviation

As Aviation Security Training Organisations in the Republic of Ireland are mandated to inform ALL trainees about insider threat within aviation, radicalisation and security culture from the start of October I thought that it would be a good opportunity to discuss the first of these topics – the insider threat.

We added a module on radicalisation, the insider threat and fostering a positive security culture to our BSAT and GSAT courses in August and all trainees are covering theses topics as part of their initial and recurrent aviation security training.

If you have any questions about any of the course content and material please feel free to get in touch: contact@butterfly-training.us

——————————

An airport is a complex entity, with multiple occupants, a transient population and time-critical operations. Such an environment is vulnerable to a variety of different risks and threats.

PC_usb_cyber_threat

To define the insider threat more clearly, we first need to understand what constitutes an ‘insider’ within the aviation context. Essentially in an airport environment, an insider is an individual who exploits their knowledge or access to their airport, airline, or organisation’s assets, for unauthorized purposes. So, the insider could be virtually anyone, including an employee, contractor, consultant or anyone else who has legitimate access to their organisation’s information or assets. This problem is especially difficult to manage when you consider the interdependencies and wealth of information that moves around an airport.

So why are insiders so dangerous?

The danger presented by an aviation insider is that they already understand the external security of airports and aviation assets and will be able to exploit their knowledge of these security measures. Many aviation insiders potentially also have access to the most critical and sensitive parts of an airport. They are already in a position of trust and might hold an access badge to an airport’s airside, for example. Given this enhanced level of access, they are more likely to be able to identify vulnerabilities and target the weakest areas within their airport.

What motivates an insider?

The motives of an insider can be varied and can include gaining financial advantage through low-level or organized crime activities. They can be issue-driven (e.g. environmentalist groups), terrorism focused, or an individual may become an insider simply because they are disgruntled or unhappy with the way they have been treated by their organisation. However, the motivation may also be due to a combination of the above factors. Motivation is a complex issue, as two employees may be faced with an identical situation, while only one may decide to act against the interests of their organisation.

Methods of attack

Once an insider has decided to act, their attack methods can vary. These can include sabotage or damage of assets or infrastructure, facilitation of I third-party access, unauthorized disclosure of data or information, theft, or even financial corruption. For those with criminal and/or financial motivation this could take the form of smuggling drugs or other commodities to, or from, their country via aircraft or cargo. I would suspect that all airports have criminal activity taking place within them, and much of this activity by its very nature requires the involvement of an insider in some capacity.

Criminal insiders within airports

Examples of criminal insiders within airports exist globally, from the insider cocaine smuggling conspiracy among a number of British Airways cargo workers at Heathrow Airport in 2013, to several TSA screeners charged for allowing large amounts of drugs to pass through X-ray machines at Los Angeles Airport in 2012. Another example of smuggling in an airport environment took place when an insider carried out a gun smuggling plot to bring large numbers of firearms into JFK International Airport. The commodity is irrelevant, as the same exploitation of vulnerabilities will be present, and it is the gross breach of trust that is arguably of greatest concern.

With access to sensitive data, cyber attacks are just one way an insider can be a threat

Identifying the insider threat in aviation

Much attention has been given to behavior indicators of potential insider threat in aviation actors. However, everyone has life experiences where their behavior could potentially change from time to time. While obvious lifestyle and behavioral indicators such as an employee becoming rich for no apparent reason; someone becoming more reclusive and disengaged from colleagues; an employee carrying out unauthorized or suspicious activity.

Insider threat indicators can be an employee expressing hostile views against the organisation, but it can also result of some other issue such lifestyle stressors or psychological vulnerabilities.

However, indicators can be important where they are repeated and there is an unaccounted change to usual behavior. The key factor is that someone needs to take responsibility to act appropriately when these indicators are present.

What makes this complex is that there is no standard profile of an insider. Excessive self-importance, arrogance, manipulative nature, displaying a superficial persona, impulsiveness can be a sign.

Some insiders possess high self-esteem, others suffers from low self-esteem. If you look at your work environment, I am sure many of the above traits can be found, however, it does not necessarily mean they represent an insider threat!

Malicious or unintentional insider threat in aviation?

While the common understanding of what constitutes an insider focuses on the ‘malicious insider’ who knowingly undertakes their action, an equal danger exists through the actions of the ‘unintentional insider’.

Many employees by their actions leave themselves and their organisations vulnerable to infiltration or attack e.g. through the use of social engineering.

Within a dynamic environment, such as the aviation sector, these actions could potentially lead to loss of life, destruction of infrastructure, financial loss, and damage to aviation organisations. The impact of their omission or failure to comply with procedures could be equally as devastating as the impact from an insider attack.

The exploitation of vulnerabilities

Everyone is vulnerable at some point in their life, be it through bereavement, divorce, financial issues or other personal circumstances. Depression, loneliness, mental illness, or addiction such as drugs, gambling, or alcohol, is vulnerable to external exploitation.

In recent years, several at-risk airport insiders have created vulnerabilities within the aviation sector, and in some cases have caused damage to their organisations.

How can you combat the insider threat within aviation?

So, how can your organisation deal with the threat from insiders? Unfortunately, there is no ‘silverbullet’ to solve the problem. An insider may have several issues which are occurring within their life and which cause them to work against the interests of their organisation and fellow workers.

Deal with insider threat activity by adopting a holistic and integrated approach to organisational security. This would focus the greatest activity on critical parts of the organisation such as IT systems, client information, and critical infrastructure. A few measures among others to be considered include:

  • Obtaining strategic buy-in to the development of an insider threat programme
  •  Identifying key infrastructure and assessing potential vulnerabilities which could be exploited by an insider
  • Undertaking strategic and personal level ‘insider threat’ risk assessment processes
  • Creating robust pre-employment screening and recruitment processes to prevent insider infiltration
  • Identifying and developing on-going security measures to address the issue of insiders already within your organisation
  • Creating an effective organisational security culture to mitigate the opportunities for insider attack
  • Developing an insider threat exercising programme for management
  • Creating an environment where enhancing resilience and capacity to deal with every kind of insider threat
  • Implementing staff education/training, and developing key processes, to reflect insider threat concerns.

The above measures are only a small part of insider threat within aviation but worth considering  if you wish to combat the threat within your own organisation.

This article by David BaMaung – International Airport Review – August 2018.