chungking -

Report reveals inadequate cyber security at Schiphol Airport

A report has revealed problems with critical security systems in Amsterdam’s Schiphol Airport

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe: IT expertise in banks’ boardrooms reduces risk, says European regulator

The cyber security of border controls carried out by the Dutch Royal Military Police at Schiphol Airport is inadequate and not future-proof, according to a report.

Research carried out by the Dutch Court of Audit (Algemene Rekenkamer), found that security tests on the IT systems hardly ever take place, if at all. It also said the software of two IT systems is operational without the required approval, and that IT systems are not connected to the detection capacity of the Ministry of Defence and Schiphol itself.

With almost 80 million passengers a year, Schiphol is not only the most important airport in the Netherlands, but also an important gateway to Europe. The Royal Military Police check passengers entering or leaving the Schengen zone at the airport. In doing so, systems process the personal data of passengers from across the world. This includes information about nationality, travel itinerary, travel company and, in some cases, criminal data.

Passengers are checked at the passport desk and via electronic self-service gates. Travellers from outside the Schengen area are also screened with pre-assessment before arrival.

With border control, the Royal Military Police contributes to the security and control of immigration into the Netherlands. The importance of IT in border control is huge – and growing. Digitisation makes it faster and more thorough, but at the same time creates dependence and new risks.

The passport counter, electronic self-service gates and the pre-assessment stage each have their own IT systems. The Ministry of Defence is responsible for the cyber security of the systems that carry out checks on arriving passengers during their flight, and at the counters of the Royal Military Police at Schiphol. Meanwhile, the Ministry of Justice and Security is responsible for the IT system of the self-service passport control at the airport.

The cyber security of these three systems is crucial to combat digital sabotage, espionage and crime. If border control IT becomes unusable due to a digital attack, the Royal Military Police can barely carry out border control, if at all. This can result in long queues, delays or flight cancellations. In addition, foreign security services can use cyber espionage to access the data of specific travellers. Cyber attacks can also be used to manipulate information for wanted persons can cross the border more easily.

Not approved

The Court of Audit’s examination shows that the operation of cyber security measures is not functioning as it should. For example, the defence security policy describes the security measures that all border control IT systems must comply with and that IT systems should only be used once these measures have been taken.

Schiphol’s passport counter, electronic self-service gates and the pre-assessment stage each have their own IT systems, the cyber security of which is crucial to combat digital sabotage, espionage and crime

However, two of the three border control IT systems have not been found to be adequately protected against cyber attacks. The passport counter system and the self-service system did not go through the Ministry of Defence’s approval procedure to establish this.

Specialists can quickly detect a cyber attack by continuously monitoring IT systems. The Ministry of Defence and the Schiphol company both have such detection capabilities in the form of a security operations centre (SOC).

The IT systems that support border control are not themselves connected to the detection capacity of these SOCs. As a result, there is a risk that cyber attacks on these IT systems will not be detected or will be detected too late, according to the Court of Audit report.

Insufficient testing

Defence policy also prescribes annual security tests, but in practice little or no security tests have been carried out on the three IT systems of border control. They have never even been carried out on the pre-assessment and passport desk systems.

Several public and private parties are involved in the self-service control IT system, which is owned by the Ministry of Justice and Security. As a result, a joint security test was laborious and resulted in a smaller number of tests than the parties intended.

The various parties involved are also dependent on each other when it comes to approving the security of the system, therefore unknown vulnerabilities can remain in the system and be abused for cyber attacks.

Read more about airport IT systems

As the Ministry of Defence had never done this before, the Netherlands Court of Audit performed a security test on the pre-assessment systems.

The starting point for this test was the insider threat, in which the attack is carried out via a defence employee who has access to the Ministry’s network but is not authorised for the pre-assessment system. This is a real risk, with 60,000 defence staff members having access to the network.

This security test revealed 11 vulnerabilities, including the use of weak passwords and the ability to send emails on behalf of random Ministry of Defence employees.

In addition, the test showed that different vulnerabilities could be combined in the event of a single cyber attack. With an advanced attack, it would be possible for unauthorised persons to manipulate the pre-assessment system in such a way that it would appear that a passenger is not, for example, on an investigation list, despite this being the case. The Ministry of Defence has now resolved these vulnerabilities, so this kind of attack is no longer possible.

Not connected to SOC

The Ministry of Defence has extensive procedures for dealing with IT disruptions and crisis situations. These include specific procedures for disruptions caused by a cyber attack.

The organisation even carries out exercises with digital crisis situations. However, there is a lack of preparation based on concrete scenarios, such as an attack with ransomware and there has never been a cyber exercise for border control. As a result, it is uncertain whether the Ministry’s response to a cyber attack in border control is effective in practice, concluded the Court of Audit.

Furthermore, the organisation is concerned that the IT system for pre-assessment is not connected to the detection capacity of the Ministry of Defence’s SOC. The Ministry itself has identified this system as a critical system.

Border control will be further digitised in the coming years. The complexity and dependence on IT is growing. With this future in mind, it is now important to guarantee an adequate level of cyber security, the Netherlands Court of Audit stated in its report.

The Ministry of Defence already has the necessary knowledge and expertise for this. The recommendations made by the investigators in the report therefore mainly boil down to actually doing what is already possible. According to the Court of Audit, it is incomprehensible that this has not yet happened.

Already taking steps

In response to the report of the Court of Audit, ministers Ank Bijleveld (Defence) and Ferd Grapperhaus (Justice and Security) said, in view of the increasing use of IT systems in border control at Amsterdam Airport Schiphol, further improvements are desirable.

They endorse the recommendations made by the Court of Audit in the report. “At the same time, the task in the area of cyber security is major and the IT landscape for border control is dynamic. We are already taking steps in response to many of the recommendations,” said the response to the report.

“The task in the area of cyber security is major and the IT landscape for border control is dynamic. We are already taking steps in response to many of the recommendations”
Ank Bijleveld and Ferd Grapperhaus, government ministers

For example, the Court of Audit recommends that the necessary security measures be taken as soon as possible and that the approval procedure for the counter control system and the self-service system be completed.

According to the ministers, adjustments are currently being made to the system and additional security measures are being taken in order to better guarantee the availability of the systems in the future.

With regard to connecting to the detection capacity, the ministers state that not all systems can be connected to the SOC at the same time, and that a step-by-step approach has been adopted.

“Priority will be given to those IT systems that have the highest priority for defence. Currently, priority is given to other critical systems, with a higher degree of urgency. The network on which the systems at the desk and during the pre-assessment are located has been connected to the SOC. This already mitigates some of the risks,” the ministers said in their response. In time, the other individual systems will be connected.

According to the ministers, the recommendation to carry out annual security tests is not feasible due to the limited staff capacity and the time required to follow up all findings. Incidentally, this does not apply to the self-service system. A new security test will be carried out as soon as possible, and from 2021 onwards the system must be tested annually. In addition, it will be examined how the parties involved can practise with crises as a result of a cyber attack at Schiphol.

Read more on IT for transport and travel industry

Data Center
Data Management