Managing Cyber Risks to Transportation Systems Mike Slawski Cyber Security Awareness & Outreach
The CIA Triad 2
SABSA Model 3
TSA Mission in Cyber Space Mission - Facilitate the measured improvement of the national transportation sector cyber security posture. Mandates National Infrastructure Protection Plan (NIPP), Homeland Security Presidential Directive -7 (HSPD-7), Quadrennial Homeland Security Review: Mission 4 (DHS). All progress monitored by Congress through annual reports. Direction TSA is designated by DHS as the Sector-Specific Agency for the Transportation Sector. The Office of Information Technology partners with the Office of Security Policy and Industry Engagement to lead cyber security activities in the sector. Approach Non-Operational. Education, Facilitation, Communication 4
CSAO Strategy and Goals Strategy: The Sector will manage cybersecurity risk through maintaining and enhancing continuous awareness and promoting voluntary, collaborative, and sustainable community action. Goal 1: Maintain Continuous Cybersecurity Awareness Goal 2: Improve and Expand Voluntary Participation Goal 3: Define Conceptual Environment Goal 4: Enhance Intelligence and Security Information Sharing Goal 5: Ensure Sustained Coordination and Strategic Implementation 5
CSAO Challenges Human Beings Ignorance Trust (NDAs, legal constraints, etc.) Information classification 6
Partnerships and Resources Federal: - DHS: NPPD, NCSD, NCCIC, US-CERT and ICS CERT - DoT: Federal Highway, State and Local, (Volpe - National) - Military: USCG/Cyber Command, TRANSCOM Industry: - 6 Modes: Aviation, Mass Transit, Freight Rail, Pipeline, Maritime, Highway Motor Carrier (HMC) - Associations (Ex: Association of American Railroads) - Individual Companies (Ex: Union Pacific) ISAC s: - Multi State, Surface/Public Transportation TSA Coordination: - OSPIE, Office of Intelligence and Analysis 7
Transportation Sector Cyber Activities Aviation Created a working group to develop an ISAC for cyber Pipeline Developing industry-wide cyber risk management approach Maritime Partnering with TSA, DOT, and DHS to develop a cyber risk management approach for the nation s port facilities. Co-hosting the 2012 Cybersecurity in Transportation Summit with TSA Freight Rail Building annual Corporate Security Review for Class 1 Railroads Mass Transit TSA partners with American Public Transportation Association to improve control systems cyber security standards Highway Motor Carrier TSA CSAO participates in CIPAC meetings and is an active member of the GCC/SCC meetings; ABE-40 8
Cybersecurity Exercises 2012 Initiatives Transportation Systems Sector Cyber Working Group 2012 Cybersecurity in Transportation Summit Cybersecurity Assessment and Risk Management Approach (CARMA) 9
National Level Exercise 2012- Overview Conducted between March and July, 2012 - Included participation from nearly all critical sectors identified in the NIPP - Several phases, from threat warnings and indications, to detailed scenarios Objectives: - Improve cross-sector and intra-industry communications during crisis - Test and evaluate centralized cyber incident handling procedures Outcomes: - AAR in Development / SSI content 10
Cyber Security Tabletop Exercise: TSA and U.S. Transportation Command- Overview Conducted on June 20, 2012 - First ever cyber security exercise between TSA and DoD Objectives: - Broaden the understanding of transportation industry impacts to mission-critical DoD functions in the event of a cyber attack on transportation systems - Identify knowledge gaps between DoD and DHS entities for cyber incident handling processes - Improve collaboration between DoD, TSA, and DHS resources 11
General Exercise Outcomes: 1. Foster Education, Collaboration and Awareness 2. Promote and Further Public Private Partnerships 3. Enhance Information Sharing Efforts OSPIE has developed a sector outreach cyber security strategy based on these priorities. OIT will support OSPIE through continued SME guidance, and awareness and outreach events, including the 2012 Summit 12
Information Sharing Resources Weekly newsletter: Published to promulgate open source stories about recent cyber events and transportation-specific news Excellent resource for busy industry leaders to maintain situational awareness Monthly Transportation Systems Sector Cyber Working Group Transportation Research Board Cyber Subcommittee Monthly meeting hosted by Mr. Mike Dinning Discussions incorporate research from academia, industry, and government on relevant cyber security topics 13
2012 Cyber Security in Transportation Summit September 24-25, 2012 Hilton Crystal City at National Airport, Arlington VA Mission: Help identify and sustainably manage the risk to critical transportation functions and business from cyber attacks. Co-hosted by TSA and the USCG Cyber Command Topics will include: - Combating Insider Threats - Control Systems Roadmap - Open Source Threat Briefing - DHS Cyber Security Resources - Hacking SCADA Systems - Opportunities for collaboration -. and many others 14
Additional Resources 15
CARMA Overview Stage 1: Scope Cyber Risk Management Effort - Determine Scope and Identify Subject Matter Experts - Develop Cyber Risk Management Work Plan Stage 2: Identify Cyber Infrastructure - Validate Critical Business Functions - Identify Cyber Dependent Infrastructure Stage 3: Conduct Cyber Risk Assessment - Develop and Test Threat Scenarios - Develop Cyber Risk Profile Stage 4: Develop Cyber Risk Management Strategy - Evaluate and Prioritize Risk Response Actions - Develop Cyber Risk Strategy and Validate Stage 5: Implement Risk Management Strategy and Measuring - Productize Suggested Operational Plan for Distribution - Develop Suggested Sector Cyber Metrics - Collect and Analyze Metrics Data (where requested) - Refine Risk Management Strategy Ongoing: Administrative Support and Governance 16
Cybersecurity Evaluation Program (CSEP) Conducts voluntary cybersecurity assessments across all 18 CIKR sectors, within state governments and large urban areas. CSEP affords critical infrastructure sector participants a portfolio of assessment tools, techniques, and analytics, ranging from those that can be self-applied to those that require expert facilitation or mentoring outreach. The CSEP works closely with internal and external stakeholders to measure key performances in cybersecurity management. The Cyber Resiliency Review is being deployed across all 18 Critical Infrastructure sectors, state, local, tribal, and Territorial governments. For more information, visit www.dhs.gov/xabout/structure/editorial_0839.shtm or contact CSE@dhs.gov 17
Cybersecurity Evaluation Tool (CSET) CSET is a desktop software tool that guides users through a step-by-step process for assessing the cyber security posture of their industrial control system and enterprise information technology networks. CSET is available for download or in DVD format. To learn more or download a copy, visit http://www.us-cert.gov/control_systems/satool.html. To obtain a DVD copy, send an e-mail with your mailing address to CSET@dhs.gov. 18
Cybersecurity Vulnerability Assessments through the Control Systems Security Program (CSSP) CSSP Assessments provide on-site support to critical infrastructure asset owners by assisting them to perform a security self-assessment of their enterprise and control system networks against industry accepted standards, policies, and procedures. To request on-site assistance, asset owners may e-mail CSSP@dhs.gov 19
Industrial Control Systems (ICS) Technology Assessments ICS Assessments provide a testing environment to conduct baseline security assessments on industrial control systems, network architectures, software, and control system components. These assessments include testing for common vulnerabilities and conducting vulnerability mitigation analysis to verify the effectiveness of applied security measures. To learn more about ICS testing capabilities and opportunities, e- mail CSSP@dhs.gov 20
Information Technology Sector Risk Assessment (ITSRA) ITSRA provides an all-hazards risk profile that public and private IT Sector partners can use to inform resource allocation for research and development and other protective measures which enhance the security and resiliency of the critical IT Sector functions. For more information, see http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_asses sment.pdf or contact ncsd_cipcs@hq.dhs.gov. 21
How to Get Involved Email us! Cybersecurity@tsa.dhs.gov Read our weekly newsletter Participate in our monthly TSS-CWG meetings (open to GCC and SCC members) Attend our summit! Section Chief: Ms. Kelley Bray 571-227-2198 kelley.bray@tsa.dhs.gov 22
Michael Slawski, CISSP, CIPP, Sec+, SCF, Surfer Follow me on Twitter: @michaelslawski Email: michael.slawski@tsa.dhs.gov Phone: 571-227-4292 23