Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Effective Practices for The Protection of Transportation Infrastructure
From Cyber Incidents: Executive Briefing Pilot
Ron Frazier, David Fletcher Co-Principal Investigators
NCHRP 20-59(48)
• Awareness of this major cyber security research initiative
• Advance look at a key communication instrument
• Opportunity to contribute to the research
Key Presentation Take-Away
NCHRP 2-59(48) Overview
• $300k Cooperative Research Project – Sponsors: NCHRP, TCRP – Scope: Industrial control, transportation
control and enterprise data systems
• Deliverables available Q1 2015 - Executive briefing template - Cyber security primer/best practices - Cyber security webinar
Cyber Security in Transportation Survey (2014)
• Respondents motivated to reduce or avoid service interruption, loss of life and property damage
• But: only 20% had a current and tested Continuity of Operations or Disaster Recovery Plan
• 2 of 3 indicated implementing some “best practices” but 3 of 4 unfamiliar w/ national standards
Key Findings from the Research: Disparate institutional, cultural and
organizational domains collide
Cyber Security Professionals
Transportation Professionals
EFFECTIVE PRACTICES FOR THE PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER INCIDENTS
EXECUTIVE BRIEFING
Road Map for Today
Transportation Systems Cyber Security
• Why cybersecurity is important • Consequences of inaction • Common myths • Strategic best practices • What can be done
CASE, LLC and WMC, LLC 7
Today’s highway systems . . . are cyber
CASE, LLC and WMC, LLC 8
Today’s transit systems . . . are cyber
CASE, LLC and WMC, LLC 9
Fare
And today’s vehicles have gone “cyber”
CASE, LLC and WMC, LLC 10
Consequences of incidents can be significant
CASE, LLC and WMC, LLC 11
Reputational Damage Economic Impact
Political Repercussions Safety Impact
Myth 1: “No one will attack us.” Cyber incidents in transportation…
CASE, LLC and WMC, LLC
Signage/Information Display
Communications and Information
Signaling/Switch Control
are increasing
Myth 2: “It won’t happen to us.”
CASE, LLC and WMC, LLC 13
• According to a recent Security Report, all of the organizations examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated.
• Perfect security is impossible to achieve... a more effective strategy is to assume that a cybersecurity incident will happen.
• Need to focus on resiliency and mitigating the consequences along with prevention. Odds are high that it already has...
Myth 3: “It’s all about IT.” There are parallels to safety… “Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture”. • Awareness program • Training program • On-going risk assessment • Security policies and procedures Requires active management support in a visible manner.
CASE, LLC and WMC, LLC 14
Cybersecurity Risk Management: Information and Decision Flows
CASE, LLC and WMC, LLC 15
Myth 4: “Control system cybersecurity is the same as IT cybersecurity.” There are differences between IT systems and control systems that need to be recognized. • Cybersecurity for transportation control systems requires
having a good understanding of security AND the controls systems and the operational environments.
• Cybersecurity is generally the responsibility of IT personnel.
Control systems are usually the responsibility of engineering and operations personnel.
Critical to facilitate discussion and interaction between the two groups.
CASE, LLC and WMC, LLC 16
Expert resources and guidance exist Strategic best practices… • Incorporate cyber risks into existing risk management and
governance processes. • Elevate cyber risk management discussions to the C-suite. • Implement industry standards and best practices. • Evaluate and manage your organization’s specific cyber
risks. • Provide executive oversight and review. • Develop and test incident response plans and procedures. • Coordinate cyber incident response planning across the
enterprise. • Maintain situational awareness of cyber threats.
CASE, LLC and WMC, LLC 17
CEO role in cybersecurity: What should you be doing …
• Set the tone from the top
• Expand organizational risk decision-making and mission priorities to include cyber security
• Advocate for cyber “secure” policies in procurement rules, HR policies, and state/regional systems and processes
CASE, LLC and WMC, LLC 18
Research Team • Ron Frazier • Dave Fletcher • Jeff Western • Pat Bye • Yuko Naganishi • Dave Ekern • Mike Smith
Thank You
For additional information, please contact: Dave Fletcher Co-Principal Investigator, NCHRP 20-59(48) Western Management and Consulting, LLC 505-379-6499 [email protected]