The Metropolitan Washington Airport Authority (MWAA) earlier this year published a document to its website containing sensitive security information that terrorists could potentially have used to launch cyber and physical attacks against Reagan National and Dulles International airports in Washington, D.C.
The document is a Statement of Work (SOW) published as part of a process to solicit contractors for electronic security maintenance, repair, modification, and installation services at the airports. Since being contacted for this article, the MWAA has removed information from the document that it deemed sensitive.
[ FREE DOWNLOAD: 68 great ideas for running a security department ]
Rob Yingling, a spokesperson for the MWAA, acknowledges that he could not be certain exactly how long the SOW was available on the public Internet. He says SOW documents for contractors are typically published for temporary periods, but the length of each varies depending on the services the solicitation seeks.
A solicitation for the project dated March 2, 2012 gives an April 4 deadline for questions about the project. On Sept. 19, the same day the MWAA issued a statement declaring the sensitive information was removed from the document, the MWAA's board of directors approved a contract for the security services to TYCO Integrated Security, Yingling says.
Statement of work documents are often made available online. Several federal agencies, such as the Government Services Agency and the Centers for Medicare & Medicaid Services, publish their SOWs for construction projects regularly. However, the MWAA acknowledged that the documents need to be screened for sensitive information before being published.
"To ensure a wide range of competitive bids for the contracts we award, the Airports Authority routinely posts procurement documents online," according to a statement the MWAA provided to Network World. "The referenced contract has completed the procurement process, and therefore documents have been removed from our website. We agree postings of this type need to be fully vetted and only contain releasable information pertaining to the solicitation in question."
Matthijs Koot, an independent security researcher from the Netherlands, first voiced his concerns after spotting the document in a popular online disclosure forum. At first glance, the document appeared to be little more than a general rundown of maintenance projects typical of SOWs. Further examination, however, left Koot alarmed over the level of detail regarding hardware and configuration of sensitive security systems.
"The words 'airport' and 'electronic systems security' hit my curiosity bone," Koot says. "I skimmed through the file and noticed it contains a lot of details about security procedures, such as schedules for testing the alarm system and how security information is communicated."
The document included a detailed map of Ronald Reagan Washington National Airport, a diagram of the entire electronic security system - including connection and protocol details for key components - and an outline of which COTS hardware/software are used, down to the router brands and types.
After reviewing the document, Koot asked for a second opinion from a senior-level U.S. military cybersecurity specialist and former leader of a military Red Team that challenged government systems to identify weaknesses.
Though he only agreed to speak on the condition of anonymity, the specialist says the document contained "exactly the type of open source information that the team and I were always looking for in order to lay the groundwork for targeting of a system."
Others agree. After reviewing the SOW, Scot Terban, who performs penetration testing, incident response, forensics, and information security auditing at an aerospace company, says "all you'd need to really set up a nice hacking attack on Reagan and Dulles is in there." That includes the number and location of surveillance cameras, the operating systems used at the airports, the types of switching, routing and networking hardware used, network logic diagrams and data flows, and the locations of RFID readers.
"It is also important to note that in this document set, they state that the work being done will allow for access to the codes for the airport facilities," Terban says. "So once in [the] clear, the attacker would have access to pretty much the keys to the kingdom at both airports."
To better understand what the information contained in the SOW could be used for from an attacker's perspective, an experienced hacker familiar with penetration testing and the techniques employed in undermining network security systems was consulted. Given the sensitive nature of the information, the source preferred to remain unnamed.
The hacker explained that anyone launching an attack could spend months gathering the necessary information. With the SOW, "someone decided to do all this work for me," he says.
The difficulty involved with reporting the issue to federal authorities raised additional concerns. The military cybersecurity specialist contacted the Department of Homeland Security shortly after reviewing the document. However, because the airports are classified as civilian facilities, his reporting was limited to a phone-based system developed as part of Secretary Janet Napolitano's "If You See Something, Say Something" campaign.