WELCOME TO THE ITS-NY 22 nd ANNUAL MEETING AND TECHNOLOGY EXHIBITION
2015 ITS-NY TWENTY-SECOND ANNUAL MEETING June 11-12, 2015; Saratoga Springs, NY ITS: Looking Forward AGENDA Thursday, June 11, 2015 1:15 p.m. Panel 2: Security and ITS Panel Moderator: Dr. Art O Connor, FHWA Ann D. Currier, New York State Thruway Authority, The CIA of Being an ITS Cyber Security Warrior Ed Fok, USDOT/FHWA Resource Center, Transportation Cyber Security Where Are We Going? Tariq Habib, Metropolitan Transportation Authority, IT Security Is ITS Security Michael DeGidio, Port Authority of NY & NJ/Office of the Chief Security Officer, An Approach to Cyber Security
Security and ITS Panel 2 ITS-NY 22 nd Annual Meeting Saratoga Springs, NY June 11-12, 2015 Arthur T. O Connor, PhD, PE USDOT/FHWA
Speakers Ann D. Currier, Chief Auditor, New York State Thruway Authority The CIA of Being an ITS Cyber Security Warrior Edward Fok, P.E., PTOE, Transportation Technology Specialist, USDOT/FHWA Resource Center Transportation Cyber Security Where Are We Going Tariq Habib, Chief Information Security Officer, New York Metropolitan Transportation Authority (MTA) IT security Is ITS Security Michael B. DeGideo, P.E., PMP, Director of Security Operations and Programs, Port Authority of New York & New Jersey An Approach to Cyber Security 2
Securing Transportation Systems Organizational Identity Vulnerabilities facing TMC s/operators & field instrumentation Identify current and future threats Demands on limited resources IT vs. ITS systems Capabilities of agency staff 3
Culture Shift to Consider a Cyber Protected Environment Operating norms & policies/procedures Institutional Culture Cybersecurity culture Design/Planning/Procurement Processes Preserving Safety & Mobility Transparency & decisions to disclose Funding Priorities/Understanding Risk Management have a plan Guidance/Best Practices/Training 4
Our Systems don t SUCK! Edward Fok USDOT/FHWA 2015 ITS New York, Saratoga Springs edward.fok@dot.gov
We got clobbered last year
Nature of the problem We know what they think can be done We know more than they do about what COULD be done We have the home court advantage We understand our limits
Time to act NIST Released Cyber Security Framework (2/2014) Current work underway: 1. Track 1: Streamlined single point communication 2. Track 2: Tools a) Assessment and Hardening tool b) Long range guidance
Not your average challenge Guidance & tools has to be adaptive Communication portal has to be simple We need to keep the noise to a minimum We need to work with established partners and we hope this can be technology agnostic
In the meantime Are you clear about your agency s mission? Do you KNOW your system? Can you find out where you re vulnerable? How well do you communicate?
IT SECURITY & ITS ITS New York 22nd Annual Conference Saratoga Springs, NY June 11-12, 2015 Tariq Habib Chief Information Security Officer (CISO) MTA 1
MTA Large & Extensive Infrastructure (Bridges, Tunnels, Rail, Train control systems, Command & Control facilities, Power and Communications network) North America's largest transportation network Average Week Day Ridership Over 8 Million MTA Bridges & Tunnels carry over 300 Million/year Huge Capital Investment, Operations & Maintenance America's largest bus fleet More trains than all the rest of the country's subways and commuter railroads combined 2
Eight ITS Security Areas - Nat l ITS Architecture 1. Transportation Infrastructure Security 2. Traveler Security 3. Rail Security 4. Transit Security 5. Freight & Commercial Vehicle Security 6. Hazmat Security 7. ITS Wide Area Alert 8. Disaster Response & Evacuation 3
Potential ITS Security Threats ITS systems are part of the critical infrastructure Primary concern: Cyber warfare by foreign governments Attackers are already scanning our systems and likely collecting data: DragonFly/Black Energy Secondary Concern: Internal Threats; Hacktivists and Terrorist Groups 4
Why should we be concerned Time to Compromise: Few minutes to days Time to Detect: Most of the times in months Time to Mitigate: More than 3 months 70% detected by 3 rd parties not the victim *Sources: Verizon Data Breach Report and LogRythm 5
Why should we be concerned 70% of the attacks include a secondary victim. Phishing is the most popular approach for Cyber - Espionage 46 percent of organizations that have suffered a data breach took more than four months to detect a problem *Sources: Verizon Data Breach Report and LogRythm 6
Top Attack Methods Credentials Phishing Ram Scrappers Spyware/Keylogger Drive by Downloads 99.9% Of the exploited vulnerabilities were compromised more than a year after the patch was published 7
Most of the attacks are not sophisticated *Websense Common breach findings Why? Because the version was outdated and vulnerable to a widely known attack. Why? Because the server software hadn t been updated in years. Why? Because we thought the third-party vendor would do it? *Veriozon DBIR 8
ITS Large Projects Generally funded through the Capital programs Longer Duration Systems are built in collaboration with contractors Focused on availability Customer service, safety are main drivers Systems are reliable and fully tested Process oriented and follows System Engineering Longer upgrade cycles 24/7 Legacy systems and devices are prevalent 9
Security Is Considered Need to change the approach Since the threats are bigger Adversaries are in no rush Impact is large system security needs to be embedded in the system engineering processes The best defense: Use proven security best practices for a sound defensive posture 10
What to do System is critical Use 2 Factor Authentication Remove Admin Accounts Tools are available to use as a service Segregation of networks Have your own segment/vlan Use Application Whitelisting/control software Build secure applications Incorporate Secure SDLC in System Engineering Process Log and link your systems to your Security Operations Monitoring Control and monitor remote access Patching web services Protect against known vulnerabilities Must have malware detection tools in place Limiting ports and services 11
Office of the Chief Security Officer An Approach to Cyber Security at The Port Authority of New York & New Jersey Presentation to: 2015 ITS-NY 22 nd Annual Meeting Saratoga Springs, NY June 11, 2015
Port Authority of NY & NJ Assets 6 Airports 2 Tunnels 4 Bridges 3 Bus Stations Trans-Hudson Rail System (PATH) Marine Port Commerce facilities 2 Industrial Parks Commercial Properties 1 World Trade Center
Transportation Technology Systems Type Category Examples Industrial Control Systems (ICS) IT Systems Control Systems SCADA Toll Collection Systems Building Management Business Management Traffic Lights/Lane Control Signals Airfield Lighting Train Control & Signals Variable Message Signage Tunnel Ventilation Pump Monitoring Electronic Toll Collection Parking Lot Revenue Control Fire Alarm Vertical Transportation Accident Reporting Impound Vehicle Management
Cyber by the Numbers Source: FireEye Source: Verizon
Key Cybersecurity Enterprise Risks Impacts to Life Safety - due to Industrial Control System compromise Revenue Loss/Accounting - due to Financial Revenue Control System compromise Compromise of Personally Identifiable, Health, & Credit Card Information Compromise of Third-Party Proprietary Information Damage to Port Authority Brand New Vectors of Attack Mobile Devices, Cloud Computing Insider Threat Contractors, consultants, disgruntled employees, etc with access to key systems
Control System Challenges Security IT Systems ICS Systems Cyber Protection Measures (AV, Malware) Widely Used Technology Asset Life 3-5 years 15+ years Uncommon; At times difficult to deploy Patching Regularly scheduled Slow; vendor specific Upgrade Testing Less onerous Extremely robust Vulnerability Alerts Frequent Rare System Availability Downtime usually acceptable 24 x 7 x 365 Cyber Security Awareness High Generally poor Physical Security Generally secure Often remote and unstaffed Vulnerability Testing/Penetration Testing Fairly easy and frequent Difficult; must be coordinated and well thought out
Professional Challenge Source: TRB
Cyber Security IT Function or Security Function? The Chertoff Group retained in 2012 to review the Port Authority s security regime Recommended restructuring from decentralized to centralized paradigm Recommended appointment of a Chief Security Officer (CSO) Recommended overall responsibility for agency Cyber Security be placed under the CSO 8
Traditional Cyber Security of the Past Cyber Activities Traditional Antivirus software Email Protection spam and malware Limited Perimeter Protection Limited Penetration Tests & Audits Standards General IT Standards & Guidelines System Administration Guidelines Policy on Use of Computing Resources by Employees Consultant assessments showed need for significant enhancements 9
Risk-Based Approach Similar to Physical Protection Asset Inventory What do you have? Who has access and when? Least privileges Threat & Vulnerability Analysis What are the threats? Where are the weaknesses? Criticality Assessment What is most important? Consequence Management (Backups, etc) Risk Prioritization and Mitigation Options Risk-Based Approach Can t protect everything Multi-Year Business Planning Get stronger over time 10
Cyber Security The Path Forward Policy and Standards Adopted NIST 800-53 framework Executive level adoption of 25 new policies Enhanced System Administration Standards Cyber Protection Activities Frequent Penetration Tests & Audits with remediation Frequent Public Facing IP and Web Page Scans and Remediation 24 x 7 Perimeter Protection Antivirus with APT Protection Governance, Risk, & Compliance Tools Patching and Update Management Industrial Control Systems Focused Effort 11
Cyber Security The Path Forward Human Resources Awareness Posters Training Programs for all Employees Annual Training/Certification for System Administrators and Service Providers Incident Response/Business Continuity Plans Future 24/7 Cyber Security Operations Desk Partnering MS-ISAC Federal Partners FBI, DHS, US-CERT States of New York and New Jersey 12
Technology Systems Procurement Requirements Hardware Security Supply chain security Remote maintenance policies New rules for wireless components Software Security Restrictions on use of super-user accounts enhanced monitoring Review of application programming interfaces for remote and/or backdoor access Independent security testing of source code libraries 13
System Maintenance Security Requirements General Requirements System maintenance by PANYNJ staff or background-checked contract employees Training and certification of system maintainers No removal of data from Port Authority premises without authorization User level access only unless additional privileges are absolutely necessary Maintenance activity detailed logging Prohibition on automated call home maintenance service protocols Remote system maintenance connections will require two-factor authentication Remote system maintenance through an approved dedicated network or Virtual Private Network connection 14
Information Security & Personnel Assurance Information Security Handbook Confidential Privileged Information Confidential Information Non-Disclosure Agreements (NDAs) Information Security Audits Secure Worker Access Consortium (S.W.A.C.) Personnel Assurance Program criminal history background screening process Approximately 90,000 individuals are currently enrolled Vendor Integrity Checks
Master the Basics Inventory Do you know what you have? Access Control Do you know who has access? Do you check it at least annually? Audit Reports Read them so you know what was deemed vulnerable Identification and Authentication - Do you really know the person you are giving system and information access to? Were they screened? Maintenance Providers What tools are they bringing in? Are they clean? Education/Awareness Do your employees know what risky activities even are? Business Continuity Plans Can you recover from a cyber attack? 16
The End Questions? Michael B. DeGidio, P.E., PMP Director, Security Operations & Programs Office of the Chief Security Officer Email: mdegidio@panynj.gov Phone: (201) 595-4720