Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and

Effective Practices for The Protection of Transportation Infrastructure

From Cyber Incidents: Executive Briefing Pilot

Ron Frazier, David Fletcher Co-Principal Investigators

NCHRP 20-59(48)

• Awareness of this major cyber security research initiative

• Advance look at a key communication instrument

• Opportunity to contribute to the research

Key Presentation Take-Away

NCHRP 2-59(48) Overview

• $300k Cooperative Research Project – Sponsors: NCHRP, TCRP – Scope: Industrial control, transportation

control and enterprise data systems

• Deliverables available Q1 2015 - Executive briefing template - Cyber security primer/best practices - Cyber security webinar

Cyber Security in Transportation Survey (2014)

• Respondents motivated to reduce or avoid service interruption, loss of life and property damage

• But: only 20% had a current and tested Continuity of Operations or Disaster Recovery Plan

• 2 of 3 indicated implementing some “best practices” but 3 of 4 unfamiliar w/ national standards

Key Findings from the Research: Disparate institutional, cultural and

organizational domains collide

Cyber Security Professionals

Transportation Professionals

EFFECTIVE PRACTICES FOR THE PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER INCIDENTS

EXECUTIVE BRIEFING

Road Map for Today

Transportation Systems Cyber Security

• Why cybersecurity is important • Consequences of inaction • Common myths • Strategic best practices • What can be done

CASE, LLC and WMC, LLC 7

Today’s highway systems . . . are cyber


Today’s transit systems . . . are cyber


Fare

And today’s vehicles have gone “cyber”


Consequences of incidents can be significant


Reputational Damage Economic Impact

Political Repercussions Safety Impact

Myth 1: “No one will attack us.” Cyber incidents in transportation…

CASE, LLC and WMC, LLC

Signage/Information Display

Communications and Information

Signaling/Switch Control

are increasing

Myth 2: “It won’t happen to us.”


• According to a recent Security Report, all of the organizations examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated.

• Perfect security is impossible to achieve... a more effective strategy is to assume that a cybersecurity incident will happen.

• Need to focus on resiliency and mitigating the consequences along with prevention. Odds are high that it already has...

Myth 3: “It’s all about IT.” There are parallels to safety… “Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture”. • Awareness program • Training program • On-going risk assessment • Security policies and procedures Requires active management support in a visible manner.


Cybersecurity Risk Management: Information and Decision Flows


Myth 4: “Control system cybersecurity is the same as IT cybersecurity.” There are differences between IT systems and control systems that need to be recognized. • Cybersecurity for transportation control systems requires

having a good understanding of security AND the controls systems and the operational environments.

• Cybersecurity is generally the responsibility of IT personnel.

Control systems are usually the responsibility of engineering and operations personnel.

Critical to facilitate discussion and interaction between the two groups.


Expert resources and guidance exist Strategic best practices… • Incorporate cyber risks into existing risk management and

governance processes. • Elevate cyber risk management discussions to the C-suite. • Implement industry standards and best practices. • Evaluate and manage your organization’s specific cyber

risks. • Provide executive oversight and review. • Develop and test incident response plans and procedures. • Coordinate cyber incident response planning across the

enterprise. • Maintain situational awareness of cyber threats.


CEO role in cybersecurity: What should you be doing …

• Set the tone from the top

• Expand organizational risk decision-making and mission priorities to include cyber security

• Advocate for cyber “secure” policies in procurement rules, HR policies, and state/regional systems and processes


Research Team • Ron Frazier • Dave Fletcher • Jeff Western • Pat Bye • Yuko Naganishi • Dave Ekern • Mike Smith

Thank You

For additional information, please contact: Dave Fletcher Co-Principal Investigator, NCHRP 20-59(48) Western Management and Consulting, LLC 505-379-6499 [email protected]