ron frazier, david fletcher co-principal investigators ...sp.scotsem.transportation.org/documents/d...
TRANSCRIPT
![Page 1: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/1.jpg)
Effective Practices for The Protection of Transportation Infrastructure
From Cyber Incidents: Executive Briefing Pilot
Ron Frazier, David Fletcher Co-Principal Investigators
NCHRP 20-59(48)
![Page 2: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/2.jpg)
• Awareness of this major cyber security research initiative
• Advance look at a key communication instrument
• Opportunity to contribute to the research
Key Presentation Take-Away
![Page 3: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/3.jpg)
NCHRP 2-59(48) Overview
• $300k Cooperative Research Project – Sponsors: NCHRP, TCRP – Scope: Industrial control, transportation
control and enterprise data systems
• Deliverables available Q1 2015 - Executive briefing template - Cyber security primer/best practices - Cyber security webinar
![Page 4: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/4.jpg)
Cyber Security in Transportation Survey (2014)
• Respondents motivated to reduce or avoid service interruption, loss of life and property damage
• But: only 20% had a current and tested Continuity of Operations or Disaster Recovery Plan
• 2 of 3 indicated implementing some “best practices” but 3 of 4 unfamiliar w/ national standards
![Page 5: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/5.jpg)
Key Findings from the Research: Disparate institutional, cultural and
organizational domains collide
Cyber Security Professionals
Transportation Professionals
![Page 6: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/6.jpg)
EFFECTIVE PRACTICES FOR THE PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER INCIDENTS
EXECUTIVE BRIEFING
![Page 7: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/7.jpg)
Road Map for Today
Transportation Systems Cyber Security
• Why cybersecurity is important • Consequences of inaction • Common myths • Strategic best practices • What can be done
CASE, LLC and WMC, LLC 7
![Page 8: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/8.jpg)
Today’s highway systems . . . are cyber
CASE, LLC and WMC, LLC 8
![Page 9: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/9.jpg)
Today’s transit systems . . . are cyber
CASE, LLC and WMC, LLC 9
Fare
![Page 10: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/10.jpg)
And today’s vehicles have gone “cyber”
CASE, LLC and WMC, LLC 10
![Page 11: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/11.jpg)
Consequences of incidents can be significant
CASE, LLC and WMC, LLC 11
Reputational Damage Economic Impact
Political Repercussions Safety Impact
![Page 12: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/12.jpg)
Myth 1: “No one will attack us.” Cyber incidents in transportation…
CASE, LLC and WMC, LLC
Signage/Information Display
Communications and Information
Signaling/Switch Control
are increasing
![Page 13: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/13.jpg)
Myth 2: “It won’t happen to us.”
CASE, LLC and WMC, LLC 13
• According to a recent Security Report, all of the organizations examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated.
• Perfect security is impossible to achieve... a more effective strategy is to assume that a cybersecurity incident will happen.
• Need to focus on resiliency and mitigating the consequences along with prevention. Odds are high that it already has...
![Page 14: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/14.jpg)
Myth 3: “It’s all about IT.” There are parallels to safety… “Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture”. • Awareness program • Training program • On-going risk assessment • Security policies and procedures Requires active management support in a visible manner.
CASE, LLC and WMC, LLC 14
![Page 15: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/15.jpg)
Cybersecurity Risk Management: Information and Decision Flows
CASE, LLC and WMC, LLC 15
![Page 16: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/16.jpg)
Myth 4: “Control system cybersecurity is the same as IT cybersecurity.” There are differences between IT systems and control systems that need to be recognized. • Cybersecurity for transportation control systems requires
having a good understanding of security AND the controls systems and the operational environments.
• Cybersecurity is generally the responsibility of IT personnel.
Control systems are usually the responsibility of engineering and operations personnel.
Critical to facilitate discussion and interaction between the two groups.
CASE, LLC and WMC, LLC 16
![Page 17: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/17.jpg)
Expert resources and guidance exist Strategic best practices… • Incorporate cyber risks into existing risk management and
governance processes. • Elevate cyber risk management discussions to the C-suite. • Implement industry standards and best practices. • Evaluate and manage your organization’s specific cyber
risks. • Provide executive oversight and review. • Develop and test incident response plans and procedures. • Coordinate cyber incident response planning across the
enterprise. • Maintain situational awareness of cyber threats.
CASE, LLC and WMC, LLC 17
![Page 18: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/18.jpg)
CEO role in cybersecurity: What should you be doing …
• Set the tone from the top
• Expand organizational risk decision-making and mission priorities to include cyber security
• Advocate for cyber “secure” policies in procurement rules, HR policies, and state/regional systems and processes
CASE, LLC and WMC, LLC 18
![Page 19: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/19.jpg)
Research Team • Ron Frazier • Dave Fletcher • Jeff Western • Pat Bye • Yuko Naganishi • Dave Ekern • Mike Smith
![Page 20: Ron Frazier, David Fletcher Co-Principal Investigators ...sp.scotsem.transportation.org/Documents/D Fletcher 935 AM.pdf · Incorporate cyber risks into existing risk management and](https://reader030.vdocuments.us/reader030/viewer/2022040612/5edc3b12ad6a402d6666cfae/html5/thumbnails/20.jpg)
Thank You
For additional information, please contact: Dave Fletcher Co-Principal Investigator, NCHRP 20-59(48) Western Management and Consulting, LLC 505-379-6499 [email protected]