PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER

PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: PROJECT SUMMARY Summary of Findings and Primer Overview Final Presentation Countermeasures Assessment and Security Experts, LLC New Castle, Delaware and Western Management and Consulting, LLC Madison, Wisconsin

2 Presentation Overview Project Overview Cybersecurity Survey Overview Primer Overview Summary of Research Findings

3 Research Team Ernest “Ron” Frazier (CASE) Principal Investigators David Fletcher (WMC) Countermeasures Assessment & Security Experts Western Management and Consulting Subject Matter Experts David Ekern, Mike Smith Jeff Western, Pat Bye Yuko Nakanishi, Jennifer Bayuk, Barry Horowitz

4 Project Objective The objective of this research was to develop 1. 2. 3. a cybersecurity primer, an executive briefing for transportation infrastructure managers, technical webinars for highway and transit audiences These products 4. 5. explain the nature of cyber events and their operational and safety impacts, and contain effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur. The research material was derived from a variety of non-classified sources and is intended to introduce the roles, responsibilities and capabilities associated with enterprise-wide cybersecurity programs to non-security professionals.

5 Project Scope Sponsors: NCHRP, TCRP Institutional Scope: Highway and public transportation organizations and infrastructure Technical Scope: Industrial control, transportation control and enterprise data systems

6 Project Overview Phase I Tasks 1. 2. 3. 4. 5. 6. Transit Cyber Lit. Review Highway Cyber Lit. Review Survey of Agency Cybersecurity Practice Executive Briefing Phase II Work Plan Interim Report Phase II Tasks 7. 8. 9. Develop Case Studies, Briefing, Primer, Pilot Briefings and Webinars Final Report, Briefing and Primer

7 Literature Review Cyber Security Definitions and Concepts Cyber Security and Transportation Systems Threats and Vulnerabilities in IT, Control Systems and Enterprise Data Systems Transportation Cyber Security Incidents Cyber Security and Control System Recommended Practices Executive Decision Making in Cyber Security Cyber Security Standards for IT and Control Systems Cyber Security Training Federal and Legal Cyber Security Requirements

8 Cybersecurity in Transportation Survey Scanning survey designed to Raise awareness of cyber issues Baseline sector cyber security maturity Identify “best practice” organizations Survey focused on How serious a problem do respondents perceive cyber security to be? How serious of a problem has cyber security been in the transportation industry to-date? What are the quantity and depth of resources (i.e., skills, dollars, training time. etc.) being applied to these problems? Is this investment sufficient, given all the other things that need attention? 850 invitations sent to AASHTO and APTA members and other stakeholders 90 responses (11% return)

9 Survey Findings Respondents driven by desire to reduce or avoid service interruption, loss of life and property damage Most respondents are aware of cyber-threats and vulnerabilities but rank their risk as moderate to low. Top 3 threats believed to be natural disasters, criminal behaviors of outsiders and/or the loss of critical related services although transit agencies rank insiders as a significant threat. Most respondents assess risk to control systems as less than risk to data systems. Line-of-business managers see security as an IT issue. Almost no respondent reported previous cyber security events.

10 Primer Overview Preface Introduction Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 How to Use This Guide Business Case for Cybersecurity Top Myths of Transportation Cybersecurity Cybersecurity Risk Management, Risk Assessment and Asset Evaluation Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities Transportation Operations Cyber Systems Countermeasures: Protection of Operational Systems Training: Building a Culture of Cybersecurity Security Programs and Support Frameworks

11 Top Myths of Transportation Cybersecurity 1. Nobody wants to attack us 2. It can’t happen to us 3. It’s all about IT 4. It’s possible to eliminate all vulnerabilities in systems 5. Cybersecurity incidents will not impact operations 6. Control system cybersecurity can be handled the same as IT cybersecurity 7. Security is a problem that needs to be solved only once

12 Cybersecurity Risk Management, Risk Assessment and Asset Evaluation Risk Risk Management Management Program Program for for Control System Security Control System Security Source: Source: PowerPoint PowerPoint Presentation Presentation on Control on Control Systems Systems Security Security Program Program –– Transportation Transportation DHS DHS CSSP ICSJWG CSSP ICSJWG Conference Conference –– Seattle Seattle October October 27, 27, 2010 2010 David David Sawin Volpe Program Sawin Volpe Program Manager, Manager, Information Information Assurance Assurance (Control (Control Systems) Systems)

13 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities

14 Transportation Operations Cyber Systems Control systems vs. IT systems CONTROL SYSTEMS Monitor/control PHYSICAL WORLD with emphasis on SAFETY & AVAILABILITY. Risks loss of life or equipment destruction. IT SYSTEMS Collect/process DATA or INFORMATION with emphasis on INTEGRITY & CONFIDENTIALITY. Risks loss of services or confidential information.

15 Persistent Cybersecurity Issues in Surface Transportation Resilience – In this context, resilience refers to the ability of a system to operate adequately when stressed by unexpected or invalid inputs, subsystem failures or extreme environmental conditions. Privacy - The ability of a system to protect sensitive information from unauthorized access by humans or machines. Malicious Attacks – The ability to deter and recover from internal vulnerability exploits even in “air-gapped” systems. Intrusion Detection – The ability of a system to monitor its internal baseline “normal” operating parameters and issue an alert when deviations are detected.

16 Countermeasures There are approaches to reduce risks & mitigate impacts. Expert resources & guidance exist to help. NIST Framework NIST ICS Guide COBIT & SANS Industry Textbooks & Technical Papers DHS & FHWA Resources APTA Recommended Practices https://ics-cert.us-cert.gov/Standards-and-References

17 Recommended Best Practices Cyber Hygiene Access Control Data Security and Information Protection Protective Technology Boundary Defense and Network Separation Configuration Management Training

18 Countermeasures: Findings No “one-size-fits-all” cybersecurity program, technology or training exists or can ever be developed; each agency must determine, deploy and operate countermeasures unique to its local circumstance. These circumstances are continuously evolving forcing the continual evaluation and evolution of effective cybersecurity measures. Although the Primer contains guidance on a variety of possible countermeasures, many recommended practices may be unavailable or not implementable due to local regulatory, governance, commercial, technical or other resource constraints.

19 Training: Building a Culture of Cybersecurity What is a Culture of Cybersecurity? Importance of Awareness and Training Organizational Support Building upon Safety and Security Cultures Cybersecurity Awareness and Training Program Functions and User Categories Training Course Content Awareness and Training Delivery Evaluation Performance Indicators Continuous Improvement Awareness and Training Resources

20 Cyber Culture “Cybersecurity involves People, Technology, & Process ” Everyone from frontline personnel to senior managers “People, essential in the creation of a cybersecurity culture, are often thought to be the most vulnerable element and therefore require significant attention ” “Culture is fueled by good basic practices which some describe as Cyber Hygiene and Sustained Awareness by all employees.” Images: APTA.com

21 Enterprise Training Cybersecurity Functions IDENTIFY PROTECT DETECT RESPOND RECOVER Roles & User Categories All Users & Third Party Stakeholders Privileged Users Managers/Senior Executives Training Personnel IT/Cybersecurity Personnel Physical Security Personnel NIST Pubs 800-16 Rev 1 Cybersecurity Framework

22 Security Programs and Support Frameworks USA Patriot Act of 2001 The National Strategy To Secure Cyberspace (2003) Presidential Policy Directive 8: National Preparedness (2011) The National Infrastructure Protection Plan (NIPP) (2013) Executive Order 13636 (EO) Improving Critical Infrastructure Cybersecurity (2013) NIST Cybersecurity Framework (2014)

23 Control System Cybersecurity Support “The Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy” (2012) “A Roadmap to Secure Control Systems in Transportation” (2012) US-CERT and Industrial Control Systems (ICS-CERT) Cyber Information Sharing and Collaboration Program National Institute of Standards and Technology (NIST) Cyber Framework/Cyber-Physical Systems Framework National Vulnerability Database Computer Security Division's Computer Security Resource Center Surface transportation ISAC APTA Recommended Practices: Securing Control and Communications Systems in Rail Transit Environments Part I (2010) Elements, Organization and Risk Assessment/Management Part II (2013) Defining Security Zone Architecture for Rail Transit and Protecting Critical Zones Part IIIa (2015) Attack Modeling for Rail Transit

24 Summary of Research Findings I Cyber-incidents are not a major concern within State DOTs perhaps because due to a lack of experience with a serious attack or loss of essential function due to cyber failure. Although transit systems have encountered cyber-attacks in the past, cyber risks are still perceived as low to medium, especially for smaller transit systems. However, transportation systems are vulnerable to the same and/or similar cyber-attacks as any other industry that uses information systems and industrial control networks to accomplish its core business functions. Within the transportation sector, there are significant differences between the perception of cyber risks for critical infrastructure and the current state of practice in cybersecurity. Cyber risks are significant and growing in transportation because of the increasing dependence on connected information systems and networks with inherent vulnerabilities (e.g., ICS systems, fare/payment systems, BYOD), expanding opportunities for attack (positive train control, ITS, wireless systems), and increasing sophistication and availability of attack tools. Within transportation agencies, there are different “cultures” (operations, IT, corporate) that may not understand each other’s systems and processes which can create a lack of awareness of cyber threats and potential weaknesses and vulnerabilities in the system. Recent, highly publicized “hacks” in transportation have centered on vehicle security and not infrastructure breaches. Although an important topic, vehicle-based cybersecurity was not in the scope of this research Manufacturers of digital components, particularly those used in control systems act as gatekeepers of systems security. Many of the vendors in this space do not have demonstrated security capability.

25 Summary of Research Findings II In today’s cyber environment, 100% security is not possible, but it is possible to Address most common vulnerabilities that cause a majority of cyber incidents Make it “more expensive” for the attacker in terms of types of effective approaches, required level of skills, and the extent of knowledge of systems to be attacked, etc. Look to other industries for effective approaches and recommended practices Find standards and guidance for transportation agencies Effective cybersecurity should focus more on intrusion detection and system resilience Improving security behavior and work flows are just as important as technology in improving cyber security. Security decisions should be risk based and part of routine cost, schedule, and performance tradeoffs. However, there are inadequate measures of “security” to calculate how much “security” is enough. There are a range of current decision-making approaches being used in transportation today. Cybersecurity decision-making approaches range from ad hoc and disaster driven to formal governance and policy-based approaches. Decision-making approaches include top down decisions where CIO or functional owner makes decisions or committee decisions with representatives from multiple departments and functions. Participants in cybersecurity decision-making include IT, engineering, operations, and sometimes other representatives, such as law enforcement.

THANK YOU Countermeasures Assessment and Security Experts 302-322-9600 https://www.caseexperts.com