© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Transit's Cybersecurity Posture: Sit-up or Stand-down

Leigh WEBER, CISSP, Principal

Cybersecurity Analysis, Ltd.

Blue Bell, PA

© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Transit's Cybersecurity Posture: Sit-up or Stand-down

© Can Stock Photo Inc. / olechowski

© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Who Knows About Cyber Risk?

• Identify Theft?

• Credit Card Reissued?

• Place Where You Shop?

• Any Gov’t Agencies?

• Financial Institutions?

• Anyone Accidentally?

© 2016 Cybersecurity Analysis, Ltd. │ Confidential

• Automation Systems

• Fare & Revenue

• Fire / Life-Safety:• Fire Alarm / Emergency Systems

/ Monitoring

Operationally Critical:

• Dispatch / Comms / Power

Rail:

• Signals, Traction Power, Station Services

Enterprise Issues:• Fare and Revenue Systems

• HR: Personnel Data

• Financial

Operational Data:• Passenger Information

Systems

• Status / Schedule: BYOD interfaces (IoT)

RFI/RFP - Responses

What do WE have that THEY want? Nothing – Right?

© 2016 Cybersecurity Analysis, Ltd. │ Confidential

What Happens WhenThese Turn into Those?

© Can Stock Photo Inc. / waiheng © Can Stock Photo Inc. / devon

30,000 Saudi Aramco computers became bricks in minutes15-August-2012

© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Eh – Not to Worry! NOTHING CAN GO WRONG

Words to loss riders by:

Stand-Down!

We’re secure!

© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Sit-Up: Process Life-Cycle (initial)

Definition of

Assessment

Methodologies

Standards mapping,

preparation of

templates / checklists

Risk &

Vulnerability

Assessments

Risk assessment of

the critical cyber

assets

Critical cyber asset

inventory and

classification

Asset

Inventory and

Classification

Asset

Assessments

Detailed on-site /

procedural

assessment

Remediation

Validation

Test to Ensure

Remediation

Worked

(Reassess Gaps)

Cybersecurity

Risk Management

Goals

Define Risk Management

Objectives.

Get Executive

Sponsorship

Remediation

implementation

Implementation of

remediation

activities

Gap

Identification

Gap analysis report

based on assessment

findings with

recommendations

Plan to Reduce Risks

Addresses Critical

First in Line With

Operations MOC

Remediation

Plan

Evergreen

Procedure

Define processes

and procedures to

ensure compliance

© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential

An Approach – Take AIM:

• A: ACCOUNTABLE

• I: IDENTIFY INTEREST & INTENT

• M: MOTIVATE, MONITOR, & MAKE SAFE

© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential

Thank You!

Contact: Leigh Weber, CISSP

Leigh.Weber@CybersecurityAnalysis.com

+1.484.844.1832

www.CybersecurityAnalysis.com

AskUs@CybersecurityAnalysis.com