The Metropolitan Washington Airport Authority (MWAA) earlier this year published a document to its website containing sensitive security information that terrorists could potentially have used to launch cyber and physical attacks against Reagan National and Dulles International airports in Washington, D.C.
The document is a Statement of Work (SOW) published as part of a process to solicit contractors for electronic security maintenance, repair, modification, and installation services at the airports. Since being contacted for this article, the MWAA has removed information from the document that it deemed sensitive.
Rob Yingling, a spokesperson for the MWAA, acknowledges that he could not be certain exactly how long the SOW was available on the public Internet. He says SOW documents for contractors are typically published for temporary periods, but the length of each varies depending on the services the solicitation seeks.
A solicitation for the project dated March 2, 2012 gives an April 4 deadline for questions about the project. On Sept. 19, the same day the MWAA issued a statement declaring the sensitive information was removed from the document, the MWAA's board of directors approved a contract for the security services to TYCO Integrated Security, Yingling says.
Statement of work documents are often made available online. Several federal agencies, such as the Government Services Agency and the Centers for Medicare & Medicaid Services, publish their SOWs for construction projects regularly. However, the MWAA acknowledged that the documents need to be screened for sensitive information before being published.
"To ensure a wide range of competitive bids for the contracts we award, the Airports Authority routinely posts procurement documents online," according to a statement the MWAA provided to Network World. "The referenced contract has completed the procurement process, and therefore documents have been removed from our website. We agree postings of this type need to be fully vetted and only contain releasable information pertaining to the solicitation in question."
Matthijs Koot, an independent security researcher from the Netherlands, first voiced his concerns after spotting the document in a popular online disclosure forum. At first glance, the document appeared to be little more than a general rundown of maintenance projects typical of SOWs. Further examination, however, left Koot alarmed over the level of detail regarding hardware and configuration of sensitive security systems.
"The words 'airport' and 'electronic systems security' hit my curiosity bone," Koot says. "I skimmed through the file and noticed it contains a lot of details about security procedures, such as schedules for testing the alarm system and how security information is communicated."
The document included a detailed map of Ronald Reagan Washington National Airport, a diagram of the entire electronic security system - including connection and protocol details for key components - and an outline of which COTS hardware/software are used, down to the router brands and types.
Sign up for CIO Asia eNewsletters.