Port Authority’s Pollan Talks Business Risks,Cybersecurity at 2013 GMIS Conference*
*ARCHIVED POST–This week we are reposting some of our best received articles in 2013. This post was first published in April, 2013.
The challenges of meeting the IT needs of a large agency like the Port Authority of New York and New Jersey are largely human ones, ranging from dealing with an IT professional population close to retirement to accommodating changing priorities that come from the state administrations re-elected every few years.
It’s not easy to serve two masters — the governors of New Jersey and New York — and keep aging IT infrastructure updated, Antonio Pollan, assistant director of the Port Authority (PA), told several hundred N.J. public IT employees at the April 11, 2013, New Jersey Government Management Information Services (NJ-GMIS) Technology Education Conference, in Somerset.
“I have spent a lot of my five years [with the agency] to educate and work with the business side of the Port Authority, so they know what the business risks are for not doing maintenance, not upgrading a system,” he said.
Superstorm Sandy was a big wake-up call, he noted.
While the PA had a disaster-recovery system in place, data could not be recovered quickly enough for management’s liking. “That’s when we dusted off the presentation we made about this a while ago and said, ‘Remember, we talked about this,’ ” noted Pollan. Sometimes it takes a natural disaster for agencies like the PA to recognize a business risk, he added.
The PA covers structures within the 25-mile radius around the Statue of Liberty, Pollan said, plus some outliers like Stuart International Airport, in Orange County, N.Y., and the recently added Atlantic City International Airport. Its scope includes airports, tunnels and bridges, which are very different types of intermodal businesses, he noted, adding, “That translates into different technologies needed to support the different business models for each of these businesses.”
Pollan noted that the PA’s mission is to promote commerce in the New York/New Jersey region and that all the IT work it does is in support of this mission. The business priorities for the agency, oversight from both the N.J. and the N.Y. governor and the fact that priorities change over a government cycle make the PA employees’ jobs as technologists somewhat difficult. There is a lack of continuity in some major government initiatives the agency must implement, he said.
The IT department follows a 10-year plan, said Pollan. The No. 1 priority is keeping whoever is using its tunnels and bridges safe, he noted. Social media is a big concern for the agency, he added: “Our employees use it, and it creates a huge challenge from the standpoint of where you draw the line between personal lives and corporate lives. There is always the risk of information leakage.” There is the prospect of employees damaging their own reputation or that of the agency.
Cloud computing creates similar challenges for the PA, although the agency has adopted it. “Our big concern is the confidentiality of proprietary information that is out there, and the level of security that cloud providers support.” Then there is the security of the applications the PA hosts in the cloud, which need access to applications that sit in the data centers. “You have to walk through this hybrid model carefully,” Pollan said.
Cybersecurity is essential to the agency, he added. “Any government agency has a target on its back,” he said. People want to break into a system for denial of service or to steal information and post it. Also, he explained, “because we have so many diverse facilities, there are a lot of industrial control systems that manage life safety and security applications.” Most of these, such as the controllers managing the big fans that eject fumes from the Lincoln tunnel, are invisible to the public.
The PA works with many other regional agencies on disaster recovery drills and with the “three-letter agencies,” said Pollan. There is a huge amount of cooperation. “This is serious stuff,” he noted.
The PA has security experts on staff 24/7 that do nothing but look for threats both outside and inside the agency, like a USB port infection or infected email. “All they want to do is pull information out of your systems,” said Pollan. He suggested to the government IT workers in the audience that they implement good cybersecurity and educate their colleagues in this area. They don’t have to reinvent the wheel, he stated, noting that there are many good agencies with cybersecurity frameworks in place.
Systems at the PA look like a typical large organizational flow chart, said Pollan, with the Internet connected to a core network that is linked to facilities like LaGuardia and JFK. Some facilities are connected to the backbone network and some are not, in some cases because the PA hasn’t had the time or the money to remedy this. However, some are intentionally not connected “so we will have an air gap between an installation and some critical systems. We even have air gaps within some facilities,” said Pollan. The agency also has campus networks at some facilities.
Everyone, from contractors to internal staff, has to use two-factor authentication when outside the work environment, Pollan said.
“We have some dedicated individuals at places like Newark and JFK who view these places as their homes,” he added, since they had historically operated as independent entities. Problems can arise when you try to integrate these networks. Pollan suggested that for this to work, senior management must approve and buy into it. They have to understand that the IT department must know its entire exposure from all line departments in all facilities, he said. “If you don’t know the exposure, you run the risk of an insecure system that isn’t well maintained.”
Storage is another big issue for the PA. “We don’t delete anything intentionally,” Pollan noted. Because of litigation discovery requirements, no one is allowed to delete data on hard drives. Those disks are filled and then get stored forever. “We are working with the Legal department to understand if they really need the physical device.” For the top executives, Pollan says he always stores away the original disks, since these individuals are most at risk for litigation.
Video has taxed the PA’s aging systems, including its broadband and memory capacity, said Pollan. Executives at the agency always want to know what is happening at the bridges and tunnels, and this puts a strain on the networks.