National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints. Continuous. - Continuous Monitoring. - Continuous Assessment

Transcription

1 0

2 National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints Continuous - Continuous Monitoring - Continuous Assessment - Continuous Education 1

3 Amtrak Information Security Challenges & Execution International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security on May 5th (Washington D.C.) Ron Baklarz, C CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer Page 2

4 AMTRAK Corporate Presentation & Key Challenges Page 3

5 Amtrak Mission The Amtrak mission is to deliver intercity transportation with superior safety, customer service and financial excellence. To accomplish this mission, Amtrak has identified three overarching strategic themes: Safety and Security, Customer Focus and Financial Excellence. Page 4

6 Covering America Page 5

7 About Amtrak - Physical Aspects Employees: 20,000 Annual Revenue FY2015: > $3.2 billion Route Miles: Amtrak Owned Track: 363 miles of the 457-mile Northeast Corridor (NEC) Freight Owned Track: 21,000 Miles NEC: 2,200 trains each weekday, including: freight trains traveling at speeds of mph commuter trains that travel at speeds up to 125 mph Amtrak Regional trains that travel at 110 or 125 mph Acela Express trains that can reach speeds of 150 mph. Long Distance: Amtrak operates 15 long distance routes over an 18,500 mile network serving 39 states and the District of Columbia. Long distance trains are the only intercity passenger rail service in 23 states and 223 communities. Amtrak Operated Corridor and State Services: 6,000-mile route system serving 23 states primarily in the Northeast, Midwest and along the Pacific Coast Destinations Serviced: >500 Passengers FY15: 30.8 million Amtrak owns 18 tunnels (consisting of 24 miles of track) and 1,414 bridges. Page 6

8 About Amtrak - Cyber Aspects 2 Datacenters 1500 servers Mainframes, Unix, Linux and Windows 10,000 client devices (endpoints) 350 Application Portfolio Ticket Kiosks VISA/Master Card Level 1 Merchant Industrial Control Systems SCADA (electric distribution), CETC (signaling), PTC Network Statistics: data switches 25,000 voice sets 174 routers 116 firewalls 100 voice switches Page 7

9 Challenges PEOPLE PROCESS -- TECHNOLOGY Build and maintain an effective, efficient, and credible Information Security Program - staff, governance model, and budget Bring specific people, processes, and technologies in compliance with various regulatory frameworks: e.g., PCI-DSS standards (>200 Controls) as a Level 1 Merchant; FISMA (189 Controls), NIST Framework and IT General Controls (ITGC) Change Management, Configuration Management, SOD, Access Control, etc. TECHNOLOGY - Implement Information Security initiatives across a geographically and culturally diverse organization and in the context of a ubiquitous network and computing environment. Page 8

10 Implementation & Execution Executive management buy-in and support Close relationship with auditors and Office of Inspector General Accountability & Compliance Documented Policies & Procedures Implement Best Practices & Control Frameworks Communication & Education Continuous Monitoring of Networks and Systems Page 9

11 Key Themes CONTINUOUS Continuous Monitoring Continuous Assessments Continuous Awareness & Education Page 10

12 Amtrak Information Security Challenges & Execution International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security on May 5th (Washington D.C.) Ron Baklarz, C CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer Page 11

13 May 4 th Session 1: Threats & Constraints Page 12

14 National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints Continuous - Continuous Monitoring - Continuous Assessment - Continuous Education 13

15 Threat Categories 14

16 Hacked PC Threats & Uses Source: Brian Krebs 15

17 Hacked Threats & Uses Source: Brian Krebs 16

18 Cyber Kill Chain Page 17

19 Cyber Kill Chain Defensive Strategies Page 18

20 The Adaptive Security Architecture Predict Proactive Exposure Assessment Predict Attacks Remediate/ Make Change Respond Baseline Systems Design/Model Change Investigate/ Forensics Continuous Monitoring and Analytics Detect Incidents Harden and Isolate Systems Divert Attackers Contain Incidents Confirm and Prioritize Prevent Incidents Detect & Analyze Prevent & Protect. Page 19

21 Amtrak IT Information Security Program 9 82 years 5 47 Full Time Employees Combined Security Experience Post-Graduate Degrees Professional Certificates Predict Detect & Analyze Prevent & Protect Threat Inputs Vulnerability Assessments Frameworks (~ 560 controls) IT Security Policies/ Incident Response SIEM Anti-Malware MSS Looking Glass Open Source Intel DHS FBI US CERT Ad Hoc Continuous Monitoring Monthly 3 rd Party Scans Monthly Other 3rd Party Scans Quarterly PCI-DSS Scans Annual PCI External Annual PCI Internal INFOSEC Internal/External (weekly & ad hoc) Other 3 rd Party Assessments Tool Mapping (Defense in Depth & Cyber Kill Chain Models) Vulnerability Identification & Remediation PCI DSS (200) FISMA (140) Maturity Model (123) NIST Framework (100) Continuous Assessments RESPOND Cloud Security Policy Data Encryption Firewall Standard & Procedures IS Roles & Responsibilities Server Policy & Standard Auditing Policy & Procedures File Integrity Monitoring (FIM) Incident Response Procedure Security Standards for Developers Wireless Security Policy Continuous Education Mobile Security Policy Page 20

22 Amtrak IT Security Operations Center Predict Detect & Analyze Prevent & Protect Security Operations Center (SOC) RESPOND Page 21

23 SOC Operations Statistics Log Volume and Tickets Summary SIEM October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 SIEM Logs per Month 2,569,978,089 3,265,894,595 5,124,446,692 5,580,206,400 4,570,989,060 4,995,833,869 SIEM Logs per Day 82,902, ,617, ,304, ,006, ,249, ,527,796 System Agents Deployed Log Sources 1,727 1,979 1, Incident Tickets per Month SIEM Maintenance Tickets Per Month Alarms Investigations Per Month N/A N/A N/A 11,708 6,908 5,252 Vulnerability Scan Summary Scanning Tool October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 Tool Tool Tool Tool Tool Tool Tool Tool 8 N/A N/A N/A N/A N/A 301 Tool Total Number of IP Addresses Assessed

24 Threat Resource 2016 Global Threat Intelligence Report (GTIR) The NTT Group security companies - Solutionary, NTT Com Security and Dimension Data have produced the most comprehensive report to date, pulling information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks and nearly 8,000 security clients across six continents. Get actionable intelligence, guidance about what attackers are doing, and comprehensive security controls designed to disrupt attacks in the 2016 GTIR. Controls recommended in this report will contribute to an organization's survivability and resiliency in the face of an attack. Get the Report. Learn how to utilize the Lockheed Martin Cyber Kill Chain in the 2016 NTT Group Global Threat Intelligence Report. Sponsor: Solutionary Inc GTIR-Final.pdf 23