Implementing "Perimeter Intrusion Detection"
It's important to get the funds to support a security initiative - but even more important that these funds are well spent. In the article titled "$90M err-ports" from the New York Post Murray Weiss writes:
A nearly $90 million security system designed to thwart terrorists trying to get onto runways at the metro area's four major airports still isn't up and running four years after it was purchased by the Port Authority -- and it may never work, officials told The Post.
The safety network -- dubbed the Perimeter Intrusion Detection System, or PIDS -- was supposed to provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane at JFK, La Guardia, Newark and Teterboro airports.
This story came to my attention while watching the news the other day. The term "Perimeter Intrusion Detection System" sounded familiar and triggered further investigation on my part. The New York Port Authority signed a more than $100 million contract with Raytheon to build and install perimeter fencing, sensors and cameras around the four major airports in New York (John F. Kennedy International and LaGuardia) and New Jersey (Newark Liberty International and Teterboro). The system is designed to prevent a potential terrorist from accessing a runway to attack a plane. The article states:
"provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane"
When I work with organizations to design defensive measures, I take into account many factors. Looking at previous and current attacks against the infrastructure is certainly one of those factors. While you cannot limit your defensive strategy to known attacks, it needs to play a major role. For example, most of the attacks against airports and planes have not come from terrorists physically accessing the runway. Yet millions of dollars and countless hours are being spent implementing a defense system that will protect the perimeter of the airport. Common sense needs to play a role when you are designing defense systems, whether for airports or your network. Let’s take the airport example a step further. Maybe it’s just me, but isn't it easier to just buy a plane ticket? Even better, get on the inside by becoming an employee of a restaurant inside the airport? If there was ever a physical attack, a rocket launcher puts some distance between the attacker and the plane and eliminates the need to be on the runway. In the case of a rocket launcher, the plane was shot down at 8,000 feet after leaving the airport. With respects to perimeter security, a rocket renders a fence around the runway completely useless as an attacker can be within range and still be at a safe distance from the airport defenses.
Unfortunately the same mistakes are being made in information security. Many of our defenses are not based on the proper sources of intelligence. For example, should you spend millions of dollars on a new firewall when the attackers are abusing your web applications? Probably not. The one you have most likely works just fine with respect to features (throughput may be another story). Firewalls do provide some level of perimeter detection for your network, and you can prove their effectiveness by reviewing logs and providing statistics to management on how many attacks and scans the firewall is preventing. While this technology is useful, it can lead to a false sense of security (e.g., "We have a perimeter fence, no one will shoot a plane with a rocket launcher"). You may not feel the need to patch your systems because, "Hey, it’s behind the firewall". Turns out this same security fallacy projects itself into the physical security world too, because the Port Authority has now scaled back its perimeter patrols (ones performed by humans), and replaced it with the perimeter security, which, by the way, is not working correctly.
It’s a Bird, it’s a Plane, oh no it’s just a False Positive
As it turns out the PIDS was first “tested” at Teterboro airport, where they experienced a high level of false positives. Birds, small animals such as squirrels and weather (rain and wind) caused the alarms to go off. This is a prime example of a lack of testing. Rather than install an expensive system at an airport (57 miles of "intelligent" fencing has already been installed), test it on a small scale in the field first! The same should be true for any technology that you put into your network. Many people have commented how their production systems absolutely cannot be disrupted in any way in order to keep the business running. You should always have a test lab where you can experiment and test new technology. In addition, there are usually smaller pockets of your network that make a good proving ground for technology. They make sure it works the way it’s supposed to, before you surround the entire network (or in this case airport) with it.
When implementing security, you need to identify your most critical assets, review the potential threats and prioritize the defenses. So much of security is about proper management and making sure that your projects are aligned with the business goals and working to eliminate risk. Implementing new technologies because "they sound neat" is the wrong way to approach security. Before the project even gets created, you need intelligence about your attackers and what is happening on your network. The intelligence needs to be reviewed on a regular basis and your strategy updated accordingly. Therefore, before you go putting a huge fence around your network, do your homework and make the right decisions.