Cybersecurity Converged Resilience :

Transcription

1 Cybersecurity Converged Resilience : The cybersecurity of critical infrastructure

2 2 AECOM Port Authority of New York and New Jersey (PANYNJ), New York, New York, United States. AECOM, working with the PANYNJ, developed a custom inventory schema and associated questionnaire to inventory the industrial control systems across all 17 PANYNJ transportation and commercial facilities. Developed by combining asset standards from the National Institute of Science and Technology, industry best practices and PANYNJ inventory practices, the plan is a vital first step in addressing security issues on the system.

3 Cybersecurity 3 Converged Resilience : An integrated approach to cybersecurity Some of the greatest management challenges facing the public and private sectors today are from persistent and advanced cyber threats. Trusted information delivery and assured control of an operational enterprise rely on much more than strong network passwords. Today s dynamic threat environment demands integrated solutions, aligned closely to industry-specific operations and critical business functions. The challenge is understanding potential vulnerabilities and making informed, critical decisions on what and where to budget for security and resilience of assets, systems and networks. AECOM s Converged Resilience approach provides integrated, holistic solutions that bolster your ability to anticipate, avoid and absorb threats. Operational resilience must address wired and wireless cybersecurity, physical security and safety, environmental impact, process improvement and an executable governance structure. These elements must be engineeredin to create a safe, secure, effective and economic solution focused on business continuity. We leverage our global capability to design, build, finance and operate facilities, systems and associated infrastructure for nearly every market sector. Our cybersecurity, information technology and risk experts work closely with our architects and engineers to provide tailored solutions that minimize risks, align security investments to industryspecific standards and greatly reduce the impact of an incident. Converged Resilience An integrated, holistic solution to cybersecurity and operational resilience that bolsters an organization s ability to anticipate, avoid and absorb threats.

4 4 AECOM Risk-informed protection of critical data Every business or government entity that relies on data for mission success must be prepared to face disruptions, natural disasters and other anomalies. Protecting that information delivery chain requires a robust enterprise solution addressing governance, policy, standards, a concept of operation, and a view of current and future technology states. AECOM considers your business information requirements and processes, potential risks and threats, operational systems and technologies, as well as future vision to develop sound strategies focused on resilience as well as business continuity. Our practice of identifying, characterizing, and classifying assets and information frames our risk management strategy. Our approach aligns critical processes and business technologies to improve resilience, preparedness, detection and response. AECOM s professionals provide greater insight that informs and enhances decision-making, ensuring resources are properly allocated for maximum benefit. Our teams combine the best technology, people and partners from across industry to deliver: Protecting your organization s data and data networks is central to our Converged Resilience approach. We focus on providing long-term data and intellectual property protection that shields your information and does not compromise your competitive advantage in the marketplace. 317;1 Million new pieces of malware created last year; the number of new threats released each day. Verizon 2015 Data Breach Investigations Report US$12.7 million The average cost of cybercrimes in the United States in Statista, The Statistics Portal 43% The percentage of firms in the United States that experienced a data breach in Ponemon Institute Enterprise vulnerability assessments Enterprise architecture and design RISK MITIGATION Cyber operations/network monitoring Data center consolidation and virtualization Wireless and remote sensing Secure industrial control system design and integration Disaster recovery and back-up Exercises and security evaluations Information assurance User training and cyber awareness Policy and regulatory requirements Secure cloud solutions RISK AWARENESS HN CH TEC T OGY TECHNOLOGY SYSTEMS TEM TE OLOG OL NO HNOLO ST SYS S SY Y S AECOM Converged Resilience PROCESSES SSE PEOPLE P PE PEO ROCESS ES OP L CE PR RO O C P CONTINUOUS IMPROVEMENT

5 Cybersecurity 5 Chicago Department of Water Management, Chicago, Illinois, United States. AECOM worked with the utility to develop a security and preparedness capital improvement plan to improve the security and resilience of supervisory control and data acquisition systems and critical infrastructure for the two largest capacity conventional water treatment plants in the world.

6 6 AECOM Life cycle solutions for infrastructure security AECOM considers life cycle protection of critical infrastructure from every type of risk: deliberate, accidental and natural. Converged Resilience encompasses cyber, wireless and physical domains identifying vulnerabilities and weaknesses within each domain, focusing in on gaps and seams, and aligning critical processes with the critical business technologies to ensure business continuity through improved resilience, preparedness, detection and response. Converged Resilience also integrates risk and security, incorporating a repeatable method of identifying and aligning assets with critical business processes. It uses the best practices of industry, government and sectorspecific methodologies. We crossreference the National Institute of Standards and the Technology, International Standards Organization, Critical Infrastructure Protection, Department of Homeland Security National Infrastructure Protection Plan, American Petroleum Institute and other industry-specific security controls. We work with key stakeholders to frame, assess, remediate and monitor risk focusing on those critical business processes that have the greatest impact to shareholder value, brand name and business operations. INTEGRATED RISK AND SECURITY CYBER PHYSICAL WIRELESS RISK INFORMED DECISIONS SHAREHOLDER VALUE MATERIALITY (HEADLINE RISK) ENTERPRISE (BUSINESS RISK) OPERATIONAL (SECURITY RISK) Critical infrastructure and key resources security Threat and vulnerability assessments Network topology/ desktop configuration Data retrieval/recovery Disaster recovery Emergency preparedness planning Continuity of operations planning Cyber resilience analysis Access security assessment and remediation Closed-circuit television and intrusion detection Bomb blast analysis Sensitive compartmented information facility secure space design and configuration Biometrics Transportation security Emergency operations centers design-build Electromagnetic spectrum vulnerability assessment Technical surveillance countermeasures Radio frequency propagation Electromagnetic interference Electromagnetic environment effects Radio frequency shielding Radio frequency security engineering IEEE Wireless WAN IEEE Wireless MAN Cellular (GSM, CDMA, LTE) FRAME ASSESS RESPOND AND REMEDIATE MONITOR AND MAINTAIN SECURITY LIFE CYCLE CONVERGED RESILIENCE

7 Cybersecurity 7 Developing an effective cybersecurity program requires an understanding of both your systems and your business/ operating model. AECOM combines network and operational expertise with a comprehensive flexible and proven process to deliver innovative solutions that improve your organization s resilience to deliberate attacks. Our solutions are built on: Big picture enterprise solutions We use situational awareness of the interdependencies and vulnerabilities across our clients organizations to lower their back-end security costs and improve overall resilience. Business assurance We align business and security objectives to business and security risk, arming senior leadership with the risk-informed knowledge they need to optimize capital and operational expenditures for protection against cyber threats. Integrated delivery approach We support all stages of the project, from planning to execution to ongoing management and operations. Our integrated approach is central to our practice and enables us to consider cyber vulnerabilities at every step in the process so that we can develop a customized approach with long-term value. Security of customer data We are committed to the security and confidentiality of the information, data and work products developed as part of any cybersecurity and preparedness project. We hold facility and individual security clearances across all disciplines. Deep technical expertise Our experts include engineers, planners, architects, landscape architects, environmental specialists, economists, scientists, consultants and construction specialists who understand the infrastructure needs of our customers. Our cyber security/ resilience experts work with our multidisciplinary project teams to integrate security and protection across the project life cycle, from planning and design to implementation and maintenance. Project flexibility and speed We are able to execute a rapid, agile and innovative process to effectively deliver customized solutions that consider future operational needs.

8 8 AECOM A partner in protection for critical network functions AECOM s leading-edge cybersecurity capabilities are built on our experience with the United States (U.S.) Department of Defense, Cyber Command and Defense Information System Agency benchmark practices and our design, build and operation of secure infrastructure assets for publicand private-sector clients worldwide. From information assurance and information systems security engineering for the U.S. Army to the design and engineering of a facility for real-time tracking of Air Force nuclear assets, we partner with government agencies to support mission-critical activities. Our teams bring unique expertise in intelligence, information technology and cybersecurity to provide situational awareness, risk analytics, and scalable and secure networkcentric defense. Maintaining tight network security is a top priority for AECOM. For this reason, we deliver information systems that comply with DoD ports, protocols and services guidance. AECOM also monitors various intelligence reports for new and current threats, and provides proactive defense capabilities to reduce the risk of future compromises. AECOM delivers the full spectrum of integrated planning, management and execution expertise for CYBERCOM s global cybersecurity missions, providing critical 24/7 cyber engineering and technical assistance that directly contributes to securing the Department of Defense s enterprise.

9 Cybersecurity 9 AECOM provided network security services, including information systems engineering and integration, for the U.S. Office of the Secretary of Defense, Army and Air Force components of the Pentagon information technology enterprise, which supports more than 22,000 users. We were responsible for detecting threats and controlling access to classified and sensitive but unclassified information. We continue to undertake periodic assessment of the network and subnetwork structure and configuration to identify vulnerabilities.

10 10 AECOM We build safety, security and resilience into everything we do As one of the world s largest professional and technical services firms that designs and constructs secure infrastructure assets around the globe, AECOM recognizes resilience as a critical consideration on all of our projects and we take a holistic approach that goes beyond cybersecurity. Our teams have unmatched resources and expertise to handle the complex, interconnected challenges associated with safety, security and functionality of critical infrastructure across every market sector. AECOM s resilience experts provide a streamlined process that integrates resilience into all project phases, from planning and design, construction, operations and maintenance. We are committed to strengthening and AECOM collaborates with the U.S. Department of Energy, Pacific Northwest National Laboratories, on a SCADA test bed to develop cybersecurity strategies for the National Power Grid. maintaining secure, functioning and resilient systems, networks and other assets. Our extensive realworld knowledge of infrastructure and the factors that impact business continuity such as aging and/or deteriorating infrastructure, climaterelated impacts and natural disasters, sophisticated criminal threats and economic fluctuations in the economy help us deliver proactive solutions that are customized to meet clients short- and long-term needs. Chemical Commercial facilities Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Financial services Food and agriculture Government facilities Health care and public health Information technology Nuclear reactors, materials and waste Transportation systems Water and wastewater systems

11 Cybersecurity 11 With more than 100 years serving the oil and gas industry, AECOM is the leading provider of design, construction and production services across the oil and gas supply chain. This experience allows us to identify potential cyber, physical and operations security threats to this market s critical infrastructure, and design adapted risk management solutions.

12 About AECOM AECOM is a premier, fully integrated professional and technical services firm positioned to design, build, finance and operate infrastructure assets around the world for public- and private-sector clients. With nearly 100,000 employees including architects, engineers, designers, planners, scientists and management and construction services professionals serving clients in over 150 countries around the world, AECOM is ranked as the #1 engineering design firm by revenue in Engineering News-Record magazine s annual industry rankings, and has been recognized by Fortune magazine as a World s Most Admired Company. The firm is a leader in all of the key markets that it serves, including transportation, facilities, environmental, energy, oil and gas, water, high-rise buildings and government. AECOM provides a blend of global reach, local knowledge, innovation and technical excellence in delivering customized and creative solutions that meet the needs of clients projects. A Fortune 500 firm, AECOM companies, including URS Corporation and Hunt Construction Group, have annual revenue of approximately $19 billion. For more information, contact us at: askcyber@aecom.com Follow us on V AECOM. All Rights Reserved.