CSAAP

Module 1 — Overview

Overview

This module introduces students to the world of airport administration and its relationship with cybersecurity. The lecture will provide an overview of the U.S. airport system, examining its historical evolution, the stakeholders involved (aeronautical users, non-aeronautical users, government entities, the community), and the different categories of airports (commercial service, general aviation, military/joint use). It will also touch upon flight operations and the regulatory environment, including airport sponsorship structures and the role of the airport executive. The lecture reviews fundamental cybersecurity principles (Confidentiality, Integrity, Availability), common cyber threats faced by administrative systems like phishing and malware, and an overview of key cybersecurity-related regulations impacting airports.

Students will supplement the lecture with readings from CM Module 1, focusing on airport fundamentals and the regulatory landscape. This module aims to build a baseline understanding of how airports function administratively and the essential need for cybersecurity within that context, addressing Course Outcome 1 (understanding stakeholder data protection) and Outcome 3 (understanding governance and regulatory compliance in cybersecurity).

Required Reading

AAAE Certified Member (C.M.) Module 1: Finance and Administration of Airports

  • Section: Airport Fundamentals (Pages 12-29)
    • The Origin and Evolution of Airports in the United States
    • The Airport Environment and Its Stakeholders
    • Airport Categories
  • Section: Understanding Flight Operations and the Aviation System (Pages 29-35)
  • Section: The Regulated Airport (Pages 36-51)
    • The Airport Sponsor and Airport Management
    • Historical and Emerging Challenges
    • Airport Sponsor Structures
    • The Airport Executive Role
    • Airport Organization
    • Federal Regulations Affecting Public-Use Airports (Overview)
    • The NPRM Process

Frequently Asked Questions

Here are some frequently asked questions related to the topics covered in Week 1. Review these to help clarify key concepts.

Airport Basics & Governance

Q1: What’s the main difference between a Commercial Service Airport and a General Aviation (GA) Airport?

A1: Commercial Service Airports have scheduled passenger service with at least 2,500 passenger boardings (enplanements) per year and fall under FAA Part 139 safety regulations. General Aviation airports primarily serve private, corporate, charter, and training flights and typically do not have scheduled passenger service (or less than 2,500 enplanements). Their regulatory requirements are different, especially concerning security and safety certification.

Q2: What is the NPIAS, and why is it important?

A2: NPIAS stands for the National Plan of Integrated Airport Systems. It’s a list maintained by the FAA identifying public-use airports considered important to the national air transportation system. Being in the NPIAS makes an airport eligible to receive federal funding through the Airport Improvement Program (AIP) for capital projects. (CM Mod 1, p. 23)

Q3: Who are the main stakeholders at an airport?

A3: Stakeholders include Government Entities (FAA, TSA, CBP, local gov’t), Aeronautical Users (airlines, pilots, FBOs), Non-Aeronautical Users (concessions, parking, vendors), and the Community (passengers, neighbors, local businesses). Each has different needs and interests related to the airport. (CM Mod 1, pp. 18-22)

Q4: What’s the difference between an Airport Sponsor and an Airport Executive?

A4: The Airport Sponsor is the governing body legally responsible for the airport (e.g., city council, county commission, airport authority board). They set policy and strategic direction. The Airport Executive (e.g., Airport Director/Manager/CEO) is hired by the sponsor to implement policy and manage the airport’s day-to-day operations. (CM Mod 1, pp. 36-37, 45)

Q5: What are Grant Assurances?

A5: They are legally binding promises that an airport sponsor makes to the federal government when accepting federal funding (like AIP grants) or federally transferred property. These assurances cover many areas, including keeping the airport open, maintaining it safely, ensuring non-discriminatory access, using revenue properly, and protecting airspace. They often last 20 years or perpetually for land. (CM Mod 1, pp. 56-59)

Cybersecurity Fundamentals

Q6: What is the CIA Triad in cybersecurity?

A6: The CIA Triad represents the three core goals of information security:

  • Confidentiality: Preventing unauthorized disclosure of sensitive information.
  • Integrity: Ensuring data is accurate, complete, and trustworthy (not improperly altered).
  • Availability: Ensuring authorized users can access systems and data when needed.

Airport cybersecurity efforts aim to protect these three aspects for all airport data and systems. (Lecture Notes / External Readings)

Q7: What is phishing, and how might it target airport administration?

A7: Phishing is a cyber-attack using deceptive emails, messages, or websites to trick people into revealing sensitive information (like passwords) or clicking malicious links. In an airport admin context, attackers might send emails pretending to be from HR, IT support, a known vendor, or even a regulator like the FAA/TSA, trying to steal login credentials or install malware. (Lecture Notes / External Readings)

Q8: What is ransomware, and why is it a threat to airports?

A8: Ransomware is malware that encrypts an organization’s files, making them inaccessible. The attackers then demand a ransom payment (often in cryptocurrency) to provide the decryption key. It’s a major threat because it can lock up critical administrative systems (finance, HR, planning), halt operations, lead to data loss, and be very costly. (Lecture Notes / External Readings)

Q9: What is the NIST Cybersecurity Framework (CSF)? Is it a regulation?

A9: The NIST CSF is a set of voluntary guidelines and best practices developed by the U.S. National Institute of Standards and Technology to help organizations manage cybersecurity risk. It’s organized around five functions: Identify, Protect, Detect, Respond, Recover. It is not a regulation itself, but it’s widely adopted, and regulatory agencies like TSA may reference it or align their requirements with its principles. (Lecture Notes / External Readings)

Q10: How do FAA and TSA relate to airport cybersecurity?

A10: While the FAA’s primary focus is safety, ensuring the integrity of systems needed for safe operations (like NAVAIDS) has cybersecurity implications. The TSA’s focus is security, and through regulations (like Part 1542) and Security Directives, they increasingly mandate specific cybersecurity practices for commercial service airports, covering areas like access control systems, network security, and incident response planning. (CM Mod 1, p. 51; Lecture Notes)

Study Guide

This guide highlights the key concepts and topics covered in Module 1. Use it to focus your studying on the required readings, lecture materials, and supplemental resources. Understanding these foundational elements is crucial for success in the course.

Key Terms & Acronyms to Know

  • Airport Sponsor
  • Airport Executive
  • Stakeholder
  • Commercial Service Airport (Primary, Nonprimary)
  • General Aviation (GA) Airport (Reliever)
  • NPIAS (National Plan of Integrated Airport Systems)
  • AIP (Airport Improvement Program)
  • FAA (Federal Aviation Administration)
  • TSA (Transportation Security Administration)
  • Grant Assurances
  • Advisory Circular (AC)
  • CFR (Code of Federal Regulations)
  • Cybersecurity
  • CIA Triad (Confidentiality, Integrity, Availability)
  • Phishing (Spear Phishing, Whaling)
  • Malware (Ransomware, Virus, Worm, Spyware)
  • Data Breach
  • Denial-of-Service (DoS) / DDoS
  • NIST Cybersecurity Framework (CSF)
  • ISO 27001 / ISMS
  • IEC 62443
  • MITRE ATT&CK
  • PII (Personally Identifiable Information)
  • SSI (Sensitive Security Information)
  • PCI-DSS (Mentioned regarding financial data)

Key Topics & Concepts

1. The Airport Ecosystem

  • History: Understand key milestones (Air Mail Act, Air Commerce Act, DLAND, FAA creation, Deregulation, ATSA) and how they shaped the modern airport environment, including the role of federal funding and regulations. (CM Mod 1 pp. 12-18)
  • Stakeholders: Identify the main categories (Government, Aeronautical Users, Non-Aeronautical Users, Community) and provide examples within each. Understand their basic interests and the types of sensitive data associated with them. (CM Mod 1 pp. 18-22)
  • Airport Types: Differentiate between Commercial Service (Primary/Nonprimary, Hub sizes), General Aviation (Categories, Relievers), Cargo, and Military (Joint/Shared Use). Know the significance of NPIAS and AIP eligibility. (CM Mod 1 pp. 22-29)

2. Airport Governance & Regulation

  • Governance Structures: Compare Municipality vs. Airport/Port Authority models — understand pros and cons, especially regarding decision-making and political influence. (CM Mod 1 pp. 40-45)
  • Roles: Differentiate between the Airport Sponsor (policy, strategy) and Airport Executive (implementation, management). (CM Mod 1 pp. 36-37, 45-47)
  • Regulatory Environment: Identify key agencies (FAA, TSA). Understand the hierarchy and purpose of key documents: CFRs, Grant Assurances (especially their binding nature), ACs, FAA Orders, TSA SDs/ICs. (CM Mod 1 pp. 49-62)

3. Cybersecurity Fundamentals in Context

  • Why Cyber Matters for Airports: Understand the link between airport complexity, data sensitivity, IT/OT reliance, and the resulting cyber risks.
  • CIA Triad Application: Be able to define Confidentiality, Integrity, and Availability and provide specific examples relevant to airport administrative functions (e.g., protecting HR data, ensuring financial accuracy, keeping comms systems online). (External Readings)

4. Key Cyber Threats to Airport Administration

  • Be able to define and provide airport-specific administrative examples for:
    • Phishing (and its variants)
    • Data Breaches (causes and impacts on admin data)
    • Ransomware (impact on admin systems/data)
    • Denial-of-Service (impact on admin-related systems/availability)
  • Understand how these threats impact the CIA triad. (External Readings)

5. Introduction to Cybersecurity Frameworks

  • Understand the purpose of using frameworks (structure, best practices, common language).
  • Identify the core function/focus of:
    • NIST CSF (Risk Management: Identify, Protect, Detect, Respond, Recover)
    • ISO 27001 (Information Security Management System - ISMS)
    • IEC 62443 (Industrial/OT Security)
    • MITRE ATT&CK (Adversary Tactics & Techniques)
  • Recognize NIST CSF as a primary framework often used in US critical infrastructure. (External Readings)

Key Questions to Consider

  • How does the history of airport development influence today’s administrative and cybersecurity challenges?
  • Why is understanding different stakeholders crucial for protecting airport data?
  • How might the cybersecurity needs differ between a large hub commercial airport and a small GA airport?
  • How does the airport’s governance structure impact its ability to implement effective cybersecurity?
  • Give an example of how a failure in Confidentiality, Integrity, OR Availability could impact airport administration specifically.
  • Why is phishing such an effective attack vector against administrative staff?
  • How does complying with FAA/TSA regulations relate to implementing cybersecurity controls?
  • What is the main difference in focus between NIST CSF and MITRE ATT&CK?

Relevant Course Outcomes & Objectives

  • Outcome 1: Demonstrate an understanding of the cybersecurity measures necessary to protect stakeholder data and ensure secure communication in airport administration.
    • Obj 1.1: Recall the basic principles of data integrity and availability related to airport management systems.
    • Obj 1.2: Describe the importance of secure communication between airport stakeholders and its role in protecting sensitive information.
  • Outcome 3: Analyze the role of governance structures in implementing cybersecurity practices that comply with federal regulations and protect airport management systems.
    • Obj 3.1: Identify key federal regulations that guide airport cybersecurity practices.
    • Obj 3.2: Understand the role of governance structures in enforcing cybersecurity policies within airports.