Upload
doanthuan
View
216
Download
1
Embed Size (px)
Citation preview
© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Transit's Cybersecurity Posture: Sit-up or Stand-down
Leigh WEBER, CISSP, Principal
Cybersecurity Analysis, Ltd.
Blue Bell, PA
© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Transit's Cybersecurity Posture: Sit-up or Stand-down
© Can Stock Photo Inc. / olechowski
© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Who Knows About Cyber Risk?
• Identify Theft?
• Credit Card Reissued?
• Place Where You Shop?
• Any Gov’t Agencies?
• Financial Institutions?
• Anyone Accidentally?
© 2016 Cybersecurity Analysis, Ltd. │ Confidential
• Automation Systems
• Fare & Revenue
• Fire / Life-Safety:• Fire Alarm / Emergency Systems
/ Monitoring
Operationally Critical:
• Dispatch / Comms / Power
Rail:
• Signals, Traction Power, Station Services
Enterprise Issues:• Fare and Revenue Systems
• HR: Personnel Data
• Financial
Operational Data:• Passenger Information
Systems
• Status / Schedule: BYOD interfaces (IoT)
RFI/RFP - Responses
What do WE have that THEY want? Nothing – Right?
© 2016 Cybersecurity Analysis, Ltd. │ Confidential
What Happens WhenThese Turn into Those?
© Can Stock Photo Inc. / waiheng © Can Stock Photo Inc. / devon
30,000 Saudi Aramco computers became bricks in minutes15-August-2012
© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Eh – Not to Worry! NOTHING CAN GO WRONG
Words to loss riders by:
Stand-Down!
We’re secure!
© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Sit-Up: Process Life-Cycle (initial)
Definition of
Assessment
Methodologies
Standards mapping,
preparation of
templates / checklists
Risk &
Vulnerability
Assessments
Risk assessment of
the critical cyber
assets
Critical cyber asset
inventory and
classification
Asset
Inventory and
Classification
Asset
Assessments
Detailed on-site /
procedural
assessment
Remediation
Validation
Test to Ensure
Remediation
Worked
(Reassess Gaps)
Cybersecurity
Risk Management
Goals
Define Risk Management
Objectives.
Get Executive
Sponsorship
Remediation
implementation
Implementation of
remediation
activities
Gap
Identification
Gap analysis report
based on assessment
findings with
recommendations
Plan to Reduce Risks
Addresses Critical
First in Line With
Operations MOC
Remediation
Plan
Evergreen
Procedure
Define processes
and procedures to
ensure compliance
© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential
An Approach – Take AIM:
• A: ACCOUNTABLE
• I: IDENTIFY INTEREST & INTENT
• M: MOTIVATE, MONITOR, & MAKE SAFE
© 2016 Cybersecurity Analysis, Ltd. │ Confidential© 2016 Cybersecurity Analysis, Ltd. │ Confidential
Thank You!
Contact: Leigh Weber, CISSP
+1.484.844.1832
www.CybersecurityAnalysis.com