Cybersecurity standards often reference ‘privileged users’, and some cybersecurity regulations even include specific expectations around management and training of privileged users. But what is a “privileged user”? And how does the general cybersecurity concept apply in airports, where many systems were designed and installed before these concepts were routinely considered? Egis cybersecurity expert Andy Boff discusses these questions and offers some advice on how existing protections can be helpful.
What (or who) is a privileged user?
When it comes to interpreting many different standards, it often helps to take a step back and look at the underlying intent. In this case, the standards that mention privileged users are concerned with systems being exposed to situations that have the potential to invalidate (intentionally or accidentally) other security protections. The privileged user is the system actor with the ability to weaken these protections.
Most standards have an implied assumption that a ‘regular’ or ‘end’ user is different to a ‘privileged user’. A regular user has restrictions on the way they access the system, ideally with only enough access to do their specific task and no more. The security term for this is ‘least privilege’ (which gives us a hint about how they relate to privileged users). Some older systems don’t apply this ‘least privilege’ principle, which could mean all system users might count as ‘privileged’. In this instance, it is sensible to examine whether end users might also be considered privileged.
All systems have some activities that require an individual to interact with them in some way – it might be planned maintenance as an administrative user, or even physical access to system equipment. Both would be examples of privilege in a cybersecurity context. So, who would these users be for an airport?
It may seem obvious, but the size of an airport and the architecture and implementation of its systems will strongly influence who the privileged users are and who should be involved in defining the planned controls or protection. ATCOs will have different perspectives and knowledge levels to ATSEPs and vice versa. Whoever is involved, they will need to work carefully to ensure that the effort invested in developing compliant systems and processes delivers an appropriate security benefit.
My advice is to address the problem on two levels: 1) Who should be involved to address compliance? 2) Who should be involved to identify or implement added value for the business? In situations where regulations require special handling of privileged users, airports need to ensure that the steps taken are providing tangible value and an overall improvement in security posture.
How does the general concept apply to a legacy system?
In systems that were not developed with strong tiered access control systems in place, or designed in accordance with modern cybersecurity principles, it is likely that the list of privileged users is significant. This creates a headache for airports as each privileged user represents additional risk exposure for the system. Having a wide range of people designated as privileged users is far from ideal. Where regulation drives additional steps or protection for these privileged users, this also translates into real cost and complexity.
What existing protections are there?
Well, primarily the existing protections are rooted in accountability. The aim for both safety and security is to make sure that people follow defined processes, and that any non-authorised changes are prevented or quickly identified (and rectified). These existing protections count as defences, but reducing exposure is even more effective as a preventative measure and give a greater “defence in depth” approach.
A practical way of dealing with the exposure of privileged users on a system has three distinct steps:
1. Identification: An honest assessment of actors with privileged access to a system to identify only those who really require that level of privileged access.
2. Reduction: Based on the results of Step 1, the list of privileged users should be minimised by adding controls / system changes that remove inappropriate privilege.
3. Management: Managing the risk of the remaining privileged users through:
- Systemic or architectural changes, like indirect system management
- Preventative controls, like awareness and training
- Detective controls, like additional monitoring and audit trails.
With recent scrutiny around privileged users on operational systems, Egis is helping an increasing number of airports to identify privileged users, minimise the risk exposure and extract broader business benefits from the process.
We are also developing awareness and training programmes at both operational and management levels within aviation organisations to help customers meet current cybersecurity regulatory requirements as a further cost-effective mitigation to cybersecurity risk.