national railroad passenger corp. (amtrak) session 1
TRANSCRIPT
National Railroad Passenger Corp. (AMTRAK) Session 1 – Threats and Constraints “Continuous” - Continuous Monitoring - Continuous Assessment
- Continuous Education
1
Page 2
Amtrak Information Security Challenges & Execution
International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security
on May 5th (Washington D.C.)
Ron Baklarz, C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer
Page 4
Amtrak Mission
The Amtrak mission is to deliver intercity transportation with superior safety, customer service and financial excellence.
To accomplish this mission, Amtrak has identified three overarching strategic themes: Safety and Security, Customer Focus and Financial
Excellence.
Page 6
About Amtrak - Physical Aspects
Employees: 20,000 Annual Revenue FY2015: > $3.2 billion Route Miles:
Amtrak Owned Track: 363 miles of the 457-mile Northeast Corridor (NEC) Freight Owned Track: ≈ 21,000 Miles
NEC: 2,200 trains each weekday, including: freight trains traveling at speeds of 30-50 mph commuter trains that travel at speeds up to 125 mph Amtrak Regional trains that travel at 110 or 125 mph Acela Express trains that can reach speeds of 150 mph.
Long Distance: Amtrak operates 15 long distance routes over an 18,500 mile network serving 39 states and the District of Columbia. Long distance trains are the only intercity passenger rail service in 23 states and 223 communities.
Amtrak Operated Corridor and State Services: 6,000-mile route system serving 23 states primarily in the Northeast, Midwest and along the Pacific Coast
Destinations Serviced: >500 Passengers FY15: 30.8 million Amtrak owns 18 tunnels (consisting of 24 miles of track) and 1,414 bridges.
Page 7
About Amtrak - Cyber Aspects
2 Datacenters 1500 servers Mainframes, Unix, Linux and Windows 10,000 client devices (endpoints) 350 Application Portfolio 300 + Ticket Kiosks VISA/Master Card Level 1 Merchant Industrial Control Systems – SCADA (electric distribution), CETC (signaling), PTC Network Statistics:
5000+ data switches 25,000 voice sets 174 routers 116 firewalls 100 voice switches
Page 8
Challenges
PEOPLE – PROCESS -- TECHNOLOGY
Build and maintain an effective, efficient, and credible Information Security Program - staff, governance model, and budget
Bring specific people, processes, and technologies in compliance
with various regulatory frameworks: e.g., PCI-DSS standards (>200 Controls) as a Level 1 Merchant; FISMA (189 Controls), NIST Framework and IT General Controls (ITGC) – Change Management, Configuration Management, SOD, Access Control, etc.
TECHNOLOGY - Implement Information Security initiatives across
a geographically and culturally diverse organization and in the context of a ubiquitous network and computing environment.
Page 9
Implementation & Execution
Executive management buy-in and support Close relationship with auditors and Office of Inspector General Accountability & Compliance Documented Policies & Procedures Implement Best Practices & Control Frameworks Communication & Education Continuous Monitoring of Networks and Systems
Page 10
Key Themes
“CONTINUOUS”
─Continuous Monitoring ─Continuous Assessments ─Continuous Awareness & Education
Page 11
Amtrak Information Security Challenges & Execution
International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security
on May 5th (Washington D.C.)
Ron Baklarz, C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer
National Railroad Passenger Corp. (AMTRAK) Session 1 – Threats and Constraints “Continuous” - Continuous Monitoring - Continuous Assessment
- Continuous Education
13
Page 19
The Adaptive Security Architecture
Continuous Monitoring
and Analytics
Divert Attackers
Investigate/ Forensics
Remediate/ Make Change
Detect Incidents
Harden and Isolate Systems
Prevent Incidents
Baseline Systems
Confirm and Prioritize
Contain Incidents
Proactive Exposure Assessment
Design/Model Change
Predict Attacks Predict
Prevent & Protect
Detect & Analyze
Respond
.
Page 20
Amtrak IT Information Security Program
Monthly 3rd Party Scans
Monthly Other 3rd Party Scans
Quarterly PCI-DSS Scans
Annual PCI External
Annual PCI Internal
INFOSEC – Internal/External (weekly & ad hoc)
Other 3rd Party Assessments
Tool Mapping (Defense in Depth & Cyber Kill Chain Models)
Vulnerability Identification & Remediation
PCI – DSS (200)
FISMA (140)
Maturity Model (123)
NIST Framework (100)
SIEM
Anti-Malware
MSS
Looking Glass
Open Source Intel
DHS
FBI
US CERT
Ad Hoc
Cloud Security Policy
Data Encryption
Firewall Standard & Procedures
IS – Roles & Responsibilities
Server Policy & Standard
Auditing Policy & Procedures
File Integrity Monitoring (FIM)
Incident Response Procedure
Security Standards for Developers
Wireless Security Policy
Mobile Security Policy
IT Security Policies/ Incident Response
Threat Inputs Frameworks
(~ 560 controls) Vulnerability Assessments
Detect & Analyze Prevent & Protect Predict
Full Time Employees Combined Security
Experience Post-Graduate Degrees Professional Certificates
9 82 years 5 47
RESPOND
Continuous Monitoring
Continuous Assessments
Continuous Education
Page 21
Amtrak IT Security Operations Center
Security Operations Center (SOC)
Predict Detect & Analyze Prevent & Protect
RESPOND
22
SOC Operations Statistics
Log Volume and Tickets Summary SIEM October 2015 November 2015 December 2015 January 2016 February 2016 March 2016
SIEM Logs per Month
2,569,978,089
3,265,894,595
5,124,446,692
5,580,206,400
4,570,989,060
4,995,833,869
SIEM Logs per Day
82,902,519
112,617,055
165,304,732 180,006,658
163,249,609
166,527,796
System Agents Deployed
327
336
327 397
411
408
Log Sources
1,727
1,979
1,983 2119
2076
2048
Incident Tickets per Month
280
212
213
136
250
293
SIEM Maintenance Tickets Per Month 2 7 13 12 10 8
Alarms Investigations Per Month N/A N/A N/A 11,708 6,908 5,252
Vulnerability Scan Summary Scanning Tool October 2015 November 2015 December 2015 January 2016 February 2016 March 2016
Tool 1 15 10 19 3 19 15
Tool 2 165 613 807 1083 674 1213
Tool 3 0 0 0 7 7 0
Tool 4 313 354 79 319 375 279
Tool 5 130 132 132 130 138 128
Tool 6 460 144 551 144 124 0
Tool 7 368 177 174 181 474 6046
Tool 8 N/A N/A N/A N/A N/A 301
Tool 9 3 3 3 3 3 3
Total Number of IP Addresses Assessed 1914 1433 2316 1870 1814 7985
23
Threat Resource
2016 Global Threat Intelligence Report (GTIR) The NTT Group security companies - Solutionary, NTT Com Security and Dimension Data have produced the most comprehensive report to date, pulling information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks and nearly 8,000 security clients across six continents. Get actionable intelligence, guidance about what attackers are doing, and comprehensive security controls designed to disrupt attacks in the 2016 GTIR. Controls recommended in this report will contribute to an organization's survivability and resiliency in the face of an attack. Get the Report. Learn how to utilize the Lockheed Martin Cyber Kill Chain® in the 2016 NTT Group Global Threat Intelligence Report. Sponsor: Solutionary Inc http://resources.idgenterprise.com/original/AST-0166576_2016-NTT-Group-GTIR-Final.pdf