23
Managing Cyber Risks to Transportation Systems Mike Slawski Cyber Security Awareness & Outreach

Managing Cyber Risks to Transportation Systemsonlinepubs.trb.org/onlinepubs/conferences/2012/security... · Managing Cyber Risks to Transportation Systems . ... CSET is available

  • Upload
    dothien

  • View
    220

  • Download
    0

Embed Size (px)

Citation preview

Managing Cyber Risks to Transportation Systems

Mike Slawski Cyber Security Awareness & Outreach

The CIA Triad

2

SABSA Model

3

TSA Mission in Cyber Space

4

Mission - Facilitate the measured improvement of the national transportation sector cyber security posture.

Mandates – National Infrastructure Protection Plan (NIPP), Homeland Security Presidential Directive -7 (HSPD-7), Quadrennial Homeland Security Review: Mission 4 (DHS). All progress monitored by Congress through annual reports.

Direction – TSA is designated by DHS as the Sector-Specific Agency for the Transportation Sector. The Office of Information Technology partners with the Office of Security Policy and Industry Engagement to lead cyber security activities in the sector.

Approach – Non-Operational. Education, Facilitation, Communication

CSAO Strategy and Goals

5

Strategy: “The Sector will manage cybersecurity risk through maintaining and enhancing continuous awareness and promoting voluntary, collaborative, and sustainable community action.”

Goal 1: Maintain Continuous Cybersecurity Awareness

Goal 2: Improve and Expand Voluntary Participation

Goal 3: Define Conceptual Environment

Goal 4: Enhance Intelligence and Security Information Sharing

Goal 5: Ensure Sustained Coordination and Strategic Implementation

CSAO Challenges

6

Human Beings

Ignorance

Trust (NDAs, legal constraints, etc.)

Information classification

Partnerships and Resources

7

Federal: - DHS: NPPD, NCSD, NCCIC, US-CERT and ICS CERT - DoT: Federal Highway, State and Local, (Volpe - National) - Military: USCG/Cyber Command, TRANSCOM

Industry: - 6 Modes: Aviation, Mass Transit, Freight Rail, Pipeline, Maritime,

Highway Motor Carrier (HMC) - Associations (Ex: Association of American Railroads) - Individual Companies (Ex: Union Pacific)

ISAC’s: - Multi State, Surface/Public Transportation

TSA Coordination: - OSPIE, Office of Intelligence and Analysis

Transportation Sector Cyber Activities

8

Aviation – Created a working group to develop an ISAC for cyber

Pipeline – Developing industry-wide cyber risk management approach

Maritime – Partnering with TSA, DOT, and DHS to develop a cyber risk management approach for the nation’s port facilities. Co-hosting the 2012 Cybersecurity in Transportation Summit with TSA

Freight Rail – Building annual Corporate Security Review for Class 1 Railroads

Mass Transit – TSA partners with American Public Transportation Association to improve control systems cyber security standards

Highway Motor Carrier – TSA CSAO participates in CIPAC meetings and is an active member of the GCC/SCC meetings; ABE-40

2012 Initiatives

9

Cybersecurity Exercises

Transportation Systems Sector Cyber Working Group

2012 Cybersecurity in Transportation Summit

Cybersecurity Assessment and Risk Management Approach (CARMA)

National Level Exercise 2012- Overview Conducted between March and July, 2012

- Included participation from nearly all critical sectors identified in the NIPP

- Several phases, from threat warnings and indications, to detailed scenarios

Objectives: - Improve cross-sector and intra-industry communications during

crisis - Test and evaluate centralized cyber incident handling procedures

Outcomes: - AAR in Development / SSI content

10

Cyber Security Tabletop Exercise: TSA and U.S. Transportation Command- Overview Conducted on June 20, 2012

- First ever cyber security exercise between TSA and DoD

Objectives: - Broaden the understanding of transportation industry impacts to

mission-critical DoD functions in the event of a cyber attack on transportation systems

- Identify knowledge gaps between DoD and DHS entities for cyber incident handling processes

- Improve collaboration between DoD, TSA, and DHS resources

11

General Exercise Outcomes:

1. Foster Education, Collaboration and Awareness

2. Promote and Further Public Private Partnerships

3. Enhance Information Sharing Efforts

OSPIE has developed a sector outreach cyber security strategy based on these priorities. OIT will support OSPIE through continued SME guidance, and awareness and outreach events, including the 2012 Summit

12

Information Sharing Resources

13

Weekly newsletter:

Published to promulgate open source stories about recent cyber events and transportation-specific news

Excellent resource for busy industry leaders to maintain situational awareness

Monthly Transportation Systems Sector Cyber Working Group

Transportation Research Board Cyber Subcommittee

Monthly meeting hosted by Mr. Mike Dinning

Discussions incorporate research from academia, industry, and government on relevant cyber security topics

2012 Cyber Security in Transportation Summit

14

September 24-25, 2012 | Hilton Crystal City at National Airport, Arlington VA

Mission: Help identify and sustainably manage the risk to critical transportation functions and business from cyber attacks.

Co-hosted by TSA and the USCG Cyber Command

Topics will include: - Combating Insider Threats - Control Systems Roadmap - Open Source Threat Briefing - DHS Cyber Security Resources - Hacking SCADA Systems - Opportunities for collaboration - …. and many others

Additional Resources

15

CARMA Overview

16

Stage 1: Scope Cyber Risk Management Effort - Determine Scope and Identify Subject Matter Experts - Develop Cyber Risk Management Work Plan

Stage 2: Identify Cyber Infrastructure - Validate Critical Business Functions - Identify Cyber Dependent Infrastructure

Stage 3: Conduct Cyber Risk Assessment - Develop and Test Threat Scenarios - Develop Cyber Risk Profile

Stage 4: Develop Cyber Risk Management Strategy - Evaluate and Prioritize Risk Response Actions - Develop Cyber Risk Strategy and Validate

Stage 5: Implement Risk Management Strategy and Measuring - Productize Suggested Operational Plan for Distribution - Develop Suggested Sector Cyber Metrics - Collect and Analyze Metrics Data (where requested) - Refine Risk Management Strategy

Ongoing: Administrative Support and Governance

Cybersecurity Evaluation Program (CSEP) Conducts voluntary cybersecurity assessments across all 18

CIKR sectors, within state governments and large urban areas. CSEP affords critical infrastructure sector participants a portfolio of assessment tools, techniques, and analytics, ranging from those that can be self-applied to those that require expert facilitation or mentoring outreach. The CSEP works closely with internal and external stakeholders to measure key performances in cybersecurity management. The Cyber Resiliency Review is being deployed across all 18 Critical Infrastructure sectors, state, local, tribal, and Territorial governments.

For more information, visit www.dhs.gov/xabout/structure/editorial_0839.shtm or contact [email protected]

17

Cybersecurity Evaluation Tool (CSET)

CSET is a desktop software tool that guides users through a step-by-step process for assessing the cyber security posture of their industrial control system and enterprise information technology networks. CSET is available for download or in DVD format. To learn more or download a copy, visit http://www.us-cert.gov/control_systems/satool.html. To obtain a DVD copy, send an e-mail with your mailing address to [email protected].

18

Cybersecurity Vulnerability Assessments through the Control Systems Security Program (CSSP)

CSSP Assessments provide on-site support to critical infrastructure asset owners by assisting them to perform a security self-assessment of their enterprise and control system networks against industry accepted standards, policies, and procedures. To request on-site assistance, asset owners may e-mail [email protected]

19

Industrial Control Systems (ICS) Technology Assessments

ICS Assessments provide a testing environment to conduct baseline security assessments on industrial control systems, network architectures, software, and control system components. These assessments include testing for common vulnerabilities and conducting vulnerability mitigation analysis to verify the effectiveness of applied security measures. To learn more about ICS testing capabilities and opportunities, e-mail [email protected]

20

Information Technology Sector Risk Assessment (ITSRA)

ITSRA provides an all-hazards risk profile that public and private IT Sector partners can use to inform resource allocation for research and development and other protective measures which enhance the security and resiliency of the critical IT Sector functions. For more information, see http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf or contact [email protected].

21

How to Get Involved

22

• Email us! [email protected]

• Read our weekly newsletter

• Participate in our monthly TSS-CWG meetings (open to GCC and SCC members)

• Attend our summit!

• Section Chief: Ms. Kelley Bray 571-227-2198 • [email protected]

Michael Slawski, CISSP, CIPP, Sec+, SCF, Surfer

23

Follow me on Twitter: @michaelslawski Email: [email protected] Phone: 571-227-4292