providing resiliencyand securityfor intelligent
TRANSCRIPT
PROVIDING RESILIENCY ANDSECURITY FOR INTELLIGENTTRANSPORTATION SYSTEMS
Larry Jaffe
AECOM
ITSVA Annual ConferenceMay 4, 2017
– Larry Jaffe, CISSP, GICSP
Over 25 years of experience designing and engineering security, communications and audiovisual systems
• SME for control system cyber security• Project manager
Introduction
Examples
January 200812 people injured when a 14 year old boy uses a modified TV remote control to derails Polish trams. Discovered trams used IR to signal track controls. Recorded and replayed IR signals.
– http://www.risidata.com/
August 20, 2003CSX halted passenger and freight train traffic in response to a worm infection. The worm infected the telecommunications network that supported both their signal system and dispatch system. Service was affected in 23 states.
December 23, 2015Power outage in Ukraine was caused by BlackEnergy Malware. The infection was implanted with a spear phishing email with a malicious Microsoft Office (MS Word) attachment.
Multiple IncidentsHacked portable message signs are a common occurrence as they are often left unlocked. The instructions for programming them are easily searchable online.
ICS is vulnerable to cyber attack
Attacks have real-world impact– Life safety, reputation
New vulnerabilities discovered every week
Motorist and board level awareness because of recent major cyber breaches (Target, OPM, Sony, etc.)
200-300 Reported Incidents Each Year
2014 Incidents by Sector
ICS Cyber Incidents
Threat Actors
Cyber Kill Chain
Increasing risk & cost to contain & remediate
Reconnaissance Weaponization Delivery Exploitation Installation Command &
ControlActions on
Intent
Attacker research Create malware Phish or similar attack
Malware exploits vulnerability
Operations of malware
Attacker control of system
Lateral movement & Exfiltration
MANAGING RISK
Implement an Information Security Program
– Security and Risk management
– Asset Security
– Security Engineering
– Communications and Network Security
– Identity and Access Management
– Security Assessment and Testing
– Security Operations
– Software Development Security
Categorize
Select Controls
Implement Controls
Assess Controls
Authorize System
Monitor Controls
Risk Management
Process
Best Practices (a VERY abbreviated list)
– Educate your users about phishing• Lots of free awareness material available• White-phish your users
– Inventory your system assets• The adversary knows what’s really running on your network.
Do you?
– Patch, Patch, Patch
Questions?