Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.

Slides:

Advertisements

Similar presentations

Organizational Governance

Advertisements

Risk Management at Harvard – Panel Discussion Harvard IT Summit

Course: e-Governance Project Lifecycle Day 1

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Agenda COBIT 5 Product Family Information Security COBIT 5 content

National Infrastructure Protection Plan

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Information Security Governance

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Business Crisis and Continuity Management (BCCM) Class Session

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Asia Pacific Economic Cooperation Transportation Working Group ITS Experts Group Chicago, Illinois September 2002 Walter Kulyk, P.E. Director, Office of.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Control environment and control activities. Day II Session III and IV.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.

Information Security Technological Security Implementation and Privacy Protection.

SEC835 Database and Web application security Information Security Architecture.

NCHRP 20-59(48): Effective Practices for The Protection of Transportation Infrastructure From Cyber Incidents Ron Frazier, David Fletcher Co-Principal.

Lessons Learned in Smart Grid Cyber Security

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Basics of OHSAS Occupational Health & Safety Management System

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

13 Nov 2007 National & Homeland Security Critical Infrastructure Protection/Resilience National Association of Regulatory Utility Commissioners Annual.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

A National approach to Cyber security/CIIP: Raising awareness.

Homeland Security UNCLASSIFIED United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cyber Security and the Marine Transportation System.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Enterprise Cybersecurity Strategy

Of XX Cybersecurity in Government Contracting, Acquisition and Procurement Nicholas R. Schacht ©2015 PubKLearning. All rights reserved.1 KnowCyber improves.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Kathy Corbiere Service Delivery and Performance Commission

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: PROJECT SUMMARY Summary of Findings and Primer Overview Final Presentation Countermeasures.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

UNCLASSIFIED Homeland Security 2016 TRB Annual Meeting Cyber Risk Management CAPT Verne Gifford (CG-5PC) 1.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Information Security Program

An Overview on Risk Management

Cybersecurity - What’s Next? June 2017

Cyber Risk Presentation to the Board of Directors

and Security Management: ISO 28000

U.S. COAST GUARD CYBERSECURITY POLICY and CYBERSECURITY PLANNING

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

I have many checklists: how do I get started with cyber security?

8 Building Blocks of National Cyber Strategies

UW System Information Security

Cybersecurity ATD technical

Risk Mitigation & Incident Response Week 12

Presentation transcript:

Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING

Road Map for Today Why cybersecurity is important Consequences of inaction Common myths Strategic best practices What can be done 2

Today’s transit systems are cyber 3 Fare

Today’s highways are going cyber 4

Consequences can be significant 5 Reputational DamageEconomic Impact Political RepercussionsSafety Impact

Myth Buster: “It won’t happen to us.” There have been many reported cyber incidents in transit already. 6

Myth Buster: “It won’t happen to us.” There have been many reported cyber incidents in transportation already. 7

Myth Buster: “It's possible to eliminate all vulnerabilities in systems.” It is impossible to achieve perfect security. Cybersecurity today is CYBER RESILIENCE. According to a recent Cisco Security Report, all of the organizations examined showed evidence of suspicious traffic and that networks had been breached. Known issues are growing: 50,000+ recorded vulnerabilities with more added hourly; 86,000 new malware reported each day. Breaches are hard to detect: 229 days average time to detect breach More effective strategy is to assume that cybersecurity incidents will happen and focus on mitigating the consequences. 8

Cybersecurity Risk Management: Information and Decision Flows 9

Myth Buster: “It’s all about IT.” People, processes & technology are key to cybersecurity. Fostering a CYBERSECURITY CULTURE goes a long way towards preventing and mitigating cyber incidents. There are parallels to safety. A cybersecurity culture is an environment in which cybersecurity best practices are a way of life. Awareness and training along with established security policies and procedures are important aspects of building cybersecurity culture. Requires active management support in a visible manner. 10

To create a Cybersecurity Culture Establish policies and procedures Allocate resources for training, awareness and implementation Support and champion good practices Security Awareness Cybersecurity Essentials Role-Based Training Education &/or Experience  Increasing Knowledge and Skills  

Myth Buster: “Control system cybersecurity is the same as IT cybersecurity.” Critical to facilitate discussion and interaction between IT, engineering and operational groups. Cybersecurity is generally the responsibility of IT personnel. Control systems are usually the responsibility of engineering and operations personnel. Implementing cybersecurity for transportation control systems requires having a good understanding of security AND the controls systems and the operational environments. 12 CONTROL SYSTEMS Monitor/control PHYSICAL WORLD with emphasis on SAFETY & AVAILABILITY. Risks loss of life or equipment destruction. IT SYSTEMS Collect/process DATA or INFORMATION with emphasis on INTEGRITY & CONFIDENTIALITY. Risk loss of services or confidential information.

Control System Security Challenges SECURITY TOPICINFORMATION TECHNOLOGYCONTROL SYSTEMS Anti-virus & Mobile Code Common & widely usedUncommon and can be difficult to deploy Support Technology Lifetime 3-5 yearsUp to 20 years OutsourcingCommon/widely usedRarely used (vendor only) Application of PatchesRegular/scheduledSlow (vendor specific) Change ManagementRegular/scheduledLegacy based – unsuitable for modern security Time Critical ContentDelays are usually acceptedCritical due to safety AvailabilityDelays are usually accepted24 x 7 x 365 x forever Security AwarenessGood in private and public sectorGenerally poor regarding cybersecurity Security Testing/AuditScheduled and mandatedOccasional testing for outages / audit Physical SecuritySecureRemote and unmanned 13 Source: Volpe

Disparate institutional, cultural and organizational domains collide Cybersecurity Professionals Cybersecurity Professionals Transportation Professionals Transportation Professionals 14

Expert resources & guidance exist 15 Industry Textbooks & Technical Papers DHS, FHWA & APTA Resources APTA Recommended Practices NIST Framework NIST ICS Guide COBIT & SANS

Strategic best practices Incorporate cyber risks into existing risk management and governance processes. Elevate cyber risk management discussions to the C-suite. Implement industry standards and best practices. Evaluate and manage your organization’s specific cyber risks. Provide executive oversight and review. Develop and test incident response plans and procedures. Coordinate cyber incident response planning across the enterprise. Maintain situational awareness of cyber threats. 16

CEO role in cybersecurity Set the tone from the top Expand organizational risk decision-making and mission priorities to include cyber security Advocate for cyber “secure” policies in procurement rules, HR policies, and state/regional systems and processes. 17