Court of Audit: Schiphol border control is poorly protected against cyber attacks
According to the Court of Audit, the border control systems at Schiphol Airport are poorly protected against digital attacks. It uses outdated and vulnerable software, with little regard for disaster scenarios.
The Court of Audit writes in a report that the security of the systems used by the Royal Marrechaussee at the airport is not in order. The Court of Audit looked, among other things, at the ICT infrastructure, but also at preventive measures surrounding it and at the contingency plans that are ready in case the airport is confronted with an incident. The ICT systems that the Court of Audit looked at were used, among other things, for border checks.
There are three systems involved: the self-service system, the system at the check-in desk and the system for a ‘pre-screen’. The software used for the pre-screen and self-service is outdated. The IT system that is used when checking in at the counter is the responsibility of the Ministry of Defence, but the Court of Audit says that system never passed the Ministry’s approval procedure. Authorization protocols within some ICT systems are not in order. ‘Insider threats’ are therefore a danger, the Court of Audit writes. For example, almost every Defense employee could use a standard password to access the pre-assessment ICT system, which is used to screen travelers at an early stage of their journey. According to the Court of Auditors’ report, that password was ‘findable via Google’. The Court of Audit also says that two of the three systems it examined were not connected to Schiphol’s Security Operations Center.
According to the Court of Audit, one of the obstacles is that different parties with different roles are involved in security. For example, some check-in systems are managed by the Ministries of Security and Defence, while others, such as the self-service system, are managed by Schiphol itself. “Those parties sometimes have conflicting interests,” the Court of Audit writes. For example, Schiphol mainly wants a faster flow of passengers, which is sometimes at the expense of safety.
Although the Ministry of Defense has prepared plans for ‘cyber attacks’, they are very general and are not tested in practice. For example, no specific incidents, such as a ransomware infection, are described in the scenarios. “We therefore see a risk that the response must be too improvised,” the Court of Audit writes. In practice too little is practiced with such scenarios. “As a result, there is a risk that cyber attacks on these IT systems will be noticed too late or not at all.”