Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.

Published byRonald Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING."— Presentation transcript:

1 Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING

2 Road Map for Today Why cybersecurity is important Consequences of inaction Common myths Strategic best practices What can be done 2

3 Today’s transit systems are cyber 3 Fare

4 Today’s highways are going cyber 4

5 Consequences can be significant 5 Reputational DamageEconomic Impact Political RepercussionsSafety Impact

6 Myth Buster: “It won’t happen to us.” There have been many reported cyber incidents in transit already. 6

7 Myth Buster: “It won’t happen to us.” There have been many reported cyber incidents in transportation already. 7

8 Myth Buster: “It's possible to eliminate all vulnerabilities in systems.” It is impossible to achieve perfect security. Cybersecurity today is CYBER RESILIENCE. According to a recent Cisco Security Report, all of the organizations examined showed evidence of suspicious traffic and that networks had been breached. Known issues are growing: 50,000+ recorded vulnerabilities with more added hourly; 86,000 new malware reported each day. Breaches are hard to detect: 229 days average time to detect breach More effective strategy is to assume that cybersecurity incidents will happen and focus on mitigating the consequences. 8

9 Cybersecurity Risk Management: Information and Decision Flows 9

10 Myth Buster: “It’s all about IT.” People, processes & technology are key to cybersecurity. Fostering a CYBERSECURITY CULTURE goes a long way towards preventing and mitigating cyber incidents. There are parallels to safety. A cybersecurity culture is an environment in which cybersecurity best practices are a way of life. Awareness and training along with established security policies and procedures are important aspects of building cybersecurity culture. Requires active management support in a visible manner. 10

11 To create a Cybersecurity Culture Establish policies and procedures Allocate resources for training, awareness and implementation Support and champion good practices Security Awareness Cybersecurity Essentials Role-Based Training Education &/or Experience  Increasing Knowledge and Skills  

12 Myth Buster: “Control system cybersecurity is the same as IT cybersecurity.” Critical to facilitate discussion and interaction between IT, engineering and operational groups. Cybersecurity is generally the responsibility of IT personnel. Control systems are usually the responsibility of engineering and operations personnel. Implementing cybersecurity for transportation control systems requires having a good understanding of security AND the controls systems and the operational environments. 12 CONTROL SYSTEMS Monitor/control PHYSICAL WORLD with emphasis on SAFETY & AVAILABILITY. Risks loss of life or equipment destruction. IT SYSTEMS Collect/process DATA or INFORMATION with emphasis on INTEGRITY & CONFIDENTIALITY. Risk loss of services or confidential information.

13 Control System Security Challenges SECURITY TOPICINFORMATION TECHNOLOGYCONTROL SYSTEMS Anti-virus & Mobile Code Common & widely usedUncommon and can be difficult to deploy Support Technology Lifetime 3-5 yearsUp to 20 years OutsourcingCommon/widely usedRarely used (vendor only) Application of PatchesRegular/scheduledSlow (vendor specific) Change ManagementRegular/scheduledLegacy based – unsuitable for modern security Time Critical ContentDelays are usually acceptedCritical due to safety AvailabilityDelays are usually accepted24 x 7 x 365 x forever Security AwarenessGood in private and public sectorGenerally poor regarding cybersecurity Security Testing/AuditScheduled and mandatedOccasional testing for outages / audit Physical SecuritySecureRemote and unmanned 13 Source: Volpe

14 Disparate institutional, cultural and organizational domains collide Cybersecurity Professionals Cybersecurity Professionals Transportation Professionals Transportation Professionals 14

15 Expert resources & guidance exist 15 Industry Textbooks & Technical Papers DHS, FHWA & APTA Resources APTA Recommended Practices NIST Framework NIST ICS Guide COBIT & SANS

16 Strategic best practices Incorporate cyber risks into existing risk management and governance processes. Elevate cyber risk management discussions to the C-suite. Implement industry standards and best practices. Evaluate and manage your organization’s specific cyber risks. Provide executive oversight and review. Develop and test incident response plans and procedures. Coordinate cyber incident response planning across the enterprise. Maintain situational awareness of cyber threats. 16

17 CEO role in cybersecurity Set the tone from the top Expand organizational risk decision-making and mission priorities to include cyber security Advocate for cyber “secure” policies in procurement rules, HR policies, and state/regional systems and processes. 17

Download ppt "Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING."

Similar presentations

Organizational Governance

Organizational Governance
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
National Infrastructure Protection Plan

National Infrastructure Protection Plan
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Governance

Information Security Governance
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Business Crisis and Continuity Management (BCCM) Class Session 3 3 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Asia Pacific Economic Cooperation Transportation Working Group ITS Experts Group Chicago, Illinois September 2002 Walter Kulyk, P.E. Director, Office of.

Asia Pacific Economic Cooperation Transportation Working Group ITS Experts Group Chicago, Illinois September 2002 Walter Kulyk, P.E. Director, Office of.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Similar presentations

Ads by Google