michael dinning - national defense transportation …...2017/09/28 · bug bounty 43 adapt…...
TRANSCRIPT
Cybersecurity attacks, a transporter’s worst
nightmare: how to minimize your risks
Michael Dinning
Advancing transportation innovation for the public good
Cybersecurity attacks, a transporter’s worst
nightmare: how to minimize your risks
Michael Dinning
Advancing transportation innovation for the public good
3
Source: MN DOT
4
Source: houstontranstar.com
Source: houstontranstar.org.png
5
Source: wagmtv.com
6
Source: healthcareitnews.com
7
8
Source: Wikipedia.org, 9/28/17
9
Major disruption to:
ComputersAccess to dataInternetEmailMobile phonesCommunications with customersCommunications with contractorsCommunications with customs, etc.Operations
10
GPS spoofing in Black Sea
Source: Maritime Executive, 7/12/17, Dana Goward
11
Political attacks - GPS jamming
Source: GNSSnews.com
12
Trucking & Shipping
Surveying & Mapping
Cargo Tracking
Power Grids
NextGen
Personal Navigation
Maritime Navigation
Military Land Ops
National Transportation System and the expanding ITS
UAVs
Satellite Operations
Aviation
Dependencies on GPS throughout
transportation and other sectors
13
Financially motivated criminal attacks
Source: bbc.com
14
Hacktivists
“No Justice No BART” – Physical Attacks “Anonymous” – Cyber Attacks
Sources: nojusticenobart.com, softpedia.com
15
91,000 square mile “ATC Zero”
CyberPhysicalPersonnel
September 26, 2014
Insider attacks
Sources: time.com, rwf2000.com
16
Gray Hat (or Opportunistic) Hackers
Source: permaculturenews.com
17
White Hat (Ethical) Hackers
18
Every mode is automated and connected
19
Source: velvetoverdrive.bandcamp.com
20
Tripadvisor.com
21
Source: Freakonomics.com
22
Sources: SFPE.com, electronicsweekly.com
23
Source: flickr.com
24
Source: retroplanet.com
25
Source: Daycaller.com
Source: centralyavapaifire.org
26
Source: mystateline.com
27
How do we do this for cyber risks?
28
Adapted from tieuluu.com
29
“We need to crawl/walk/run”
30
Industry-wide problem – lack of basics
“44% of ocean carriers show signs of low levels of cybersecurity related to very basic elements”
A top 20 carrier allows shippers to use “x” as password
10% of carriers and 20% of port terminals haven’t patched to prevent threats from 2½ years ago
Source: Lars Jensen, CEO CyberKeel and SeaIntelligence
31
Good cyber
hygiene reduces
risk over 80%
“Password123” is not secure!
32
Source: twoanimators.blogspot.com
33
Reinforcing good cyber hygiene
Dear Client,We have sent you this e-mail, because we have strong reason to belive, your account has been used by someone else. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter. We’ve locked your Amazon account, and you have 36 hours to verify it, or we have the right to terminate it.
To confirm your identity with us click the link below:https://www.amazon.com/exec/obiodos/sigh-in.html
Sincerely, The Amazon Associates Team
Source: Softpedia News, Feb. 17, 2015
34
Reinforcing good cyber hygiene
Source: Softpedia News, Feb. 17, 2015
35
Which systems are most mission-critical?
Adapted from Joy Alexander, 2015 TRB Annual Meeting
36
Cyber Security Evaluation Tool (CSET)
Aviation Pipeline
Maritime HighwaySource: DHS.gov
37
37
Adapted from Joy Alexander, 2015 TRB Annual Meeting
3838
Segmentation by risk
Aircraft control Airline Information
Services
Passenger Information and Entertainment
Services
Passenger-Owned Devices
Flight and Embedded
Control Systems
Cabin Core
Admin
Passenger Support
Control the
Airplane
Operate the
Airline
Entertain the
Passengers
Entertain the
Passengers
Closed Private Public
Plus: encryption, authentication, intrusion detection
39
Design-it-in with specs & contracts
Electronic Stability ControlElectric Power Steering
Lane Departure PreventionAutomatic ParkingAutomatic Steering
Forward Crash Mitigation – Automatic BrakingAdaptive Cruise Control
Electronic Throttle Control
Battery Safety Management
Engine Control
Active Suspension
Antilock BrakingRegenerative Braking
Automatic Start/Stop
Hill-Hold Control
Dedicated Short-Range and Voice/Data
Communications
Recommended practices for cyber security & resilience
40
Collaborate to address high risks:
Protecting fleets of connected vehicles
Source: Freightliner.com
“Telematics Cybersecurity Primer for Agencies”
Bi-monthly report: https://hvcslistservice.nmfta.org
41
42
White Hat (Ethical) Hackers
“Good hacking is a gift”Elon Musk
BUG BOUNTY
43
Adapt…
securely
44
Adapting with secure over-the-air updates
45
Collaborative, pre-planned responses
46
“We didn’t just open our kimonos,
we wrapped each other up in them”
47
Defense Transportation ISAC
Mission assuranceSensitive information
Global scope
48
Cyber exercises & games
http://targetedattacks.trendmicro.com/cyoa/en/#
https://www.pwc.co.uk/issues/cyber-security-data-privacy/game-of-threats.html
Best practice: Create game scenarios tailored to your operations
49
Can you survive a
“Day Without Cyber”?
50
Cyber resilience = mission assurance
Government & commercial supply chain partners
51
How do we know if we’re all secure &
resilient?
Understand mission-critical risks
Agree on “standards” & apply throughout enterprise
Verify with independent audits & testing
Conduct cyber resilience exercises & refine
Develop & maintain sharing and collaboration
52
thesun.co.uk
53
Smokey the CyBear
Users
Developers
Public & privatepartners
Contractors
Suppliers
Source: retroplanet.com
54
Smokey the CyBear
Users
Developers
Public & privatepartners
Contractors
SuppliersSource: sheknows.com
Source: retroplanet.com
55
Michael Dinning
U.S. Department of Transportation
John A. Volpe National Transportation Systems Center
55 Broadway, Cambridge, MA 02142
617-494-2422 (o)
617-694-7518 (m)
The ideas in this briefing are the personal thoughts of the author, not the United States Department of Transportation.The United States Government does not endorse products or manufacturers. Trade or manufacturers’
names appear solely to illustrate the concepts presented in the briefing.
Information about Volpe Center collaboration with DoD: https://www.volpe.dot.gov/sites/volpe.dot.gov/files/docs/news/61416/dot-volpe-and-dod-successful-partnership.pdf