1[Distribution Statement (A-F)]

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213

The Need for Operational and Cyber Resilience inTransportation Systems

January 14, 2016

Dr. Nader Mehravari, MBCP, MBCI

Cyber Risk and Resilience ManagementSoftware Engineering InstituteCarnegie Mellon Universitynmehravari@sei.cmu.eduhttp://www.cert.org/resilience/

2[Distribution Statement (A-F)]

Notices

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0003164

3© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

CERT | Software Engineering Institute | Carnegie Mellon

Software Engineering Institute (SEI)

• Federally funded research and development center based at Carnegie Mellon University

• Basic and applied research in partnership with government and private organizations

• Helps organizations improve development, operation, and management of software-intensive and networked systems

CERT Division – Anticipating and solving

our nation’s cybersecurity challenges

• Largest technical program at SEI

• Focused on internet security, secure systems, operational resilience, and coordinated response to security issues

4© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Cyber Risk & Resilience Management Team

Engaged in

• Applied research

• Education & training

• Putting into practice

• Enabling our federal, state, and commercial partners

In areas dealing with

• Resilience Management

• Operation Risk Management

• Cyber and Resilience Frameworks

• Integration of cybersecurity, business continuity, & disaster recovery

5© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Contents

Operational Stress

Cyber-Induced Operational Stress on Transportation Sector

Prevention is Futile

Operational Resilience & Cyber Resilience

Techniques for Improving and Managing Cyber Resilience

Summary

6© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

What do you see here?

A set of well looking evergreens.

7© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Look Again!

A tree under operational stress

8© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Operational Stress

Naturalor

Manmade

Accidentalor

Intentional

Smallor

Large

Kineticof

Cyber

InformationTechnology

or Not

• Fire

• Flooding

• IT failures

• Earthquakes

• Cyber attacks

• Severe weather

• Network failures

• Technology failures

• Organizational changes

• Loss of service provider

• Strikes or other labor actions

• Loss of customer or trading partner

• Chemical, biological, nuclear hazards

• Unavailability of workforce

• Failed internal processes

• Supply chain disruption

• Employee kidnappings

• Workplace violence

• Data corruption

• Product failure

• Power outages

• Civil unrest

• Terrorism

• Fraud

• Etc.

Result in

Interruption

of

Business

Mission

…through which risks

are realized

Today’s

Discussion

Today’s

Discussion

9© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Examples

of

Cyber-Induced Operational Stress

on

Transportation Sector

10© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

July 2015

11© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

August 2015

12© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

August 2015

13© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

January 2008

14© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

January 2012

15© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

September 2012

16© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

December 2015

17© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

October 2013

18© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

October 2015

19© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

May 2012

20© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

February 2014

21© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

August 2014

22© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

May 2015

23© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

24© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Aviation

Maritime

Mas

Transit

Passenger

Rail

Postal &

Shipping

Pipeline

Freight

Rail

Highway

InfrastructureMotor

Carrier

Discussion is Applicable to All Subsectors

25© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Discussion is Applicable to…

Transportation

Subsectors

Primary Units of

Transportation

Modes of

Transportation

Aviation People & Goods Air

Highway Infrastructure & Motor Carrier People & Goods Ground

Maritime Transportation Systems People & Goods Sea

Mass Transit & Passenger Rail People Ground

Pipeline Systems Oil & Gas Ground

Freight Rail Goods Ground

Postal & Shipping Mailpieces &

Goods

Air, Ground,

Sea

26© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Prevention is Futile

27© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Cyber Intrusions are a Fact of Life

28© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Traditional Information Security Function

Protect / Shield / Defend / Prevent

Is necessary

Is not Sufficient

Fails too frequently

29© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Operational and Cyber Resilience

30© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

An Operationally Resilient Entity?

A tree under operational stress…

…while achieving its “business” mission

31© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Operational Resilience

The emergent property of an entity

• that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit

The ability of an entity to

• Prevent disruptions from occurring;

• And when struck by a disruption, the ability to quickly respond to and recover from a disruption in the primary business processes.

32© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Sample Techniques

for

Improving and Managing

Cyber Resilience

33© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Organizational Aspects

How should organizational structures, roles, and

responsibilities be adapted?

Example:

• “Traditional” vs. “Modern” information security functions

34© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Modern Information Security Functions

Protect / Shield /

Defend / Prevent

Monitor / Detect / Hunt

Management,

Governance,

Compliance,

Education,

Risk Management.

Respond/ Recover /

Sustain

35© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Operational Risk Aspects

How should organizations adapt their overall operational risk

management principles and practices?

Example:

• Integration and convergence of operational risk management activities.

36© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Today’s Operational Risk Management

IT Disaster Recovery

Continuity of Operation

(COOP)Business

Continuity

Emergency

Management

Supply Chain

Continuity

Crisis

ManagementContingency Planning

Pandemic

Planning

Preparedness

Planning

Operational Risk

Management

Enterprise Risk Management

IT Operations

Privacy

Risk

Management

Workforce

Continuity

Cyber Protection

Crisis Communications

Information

Security

Health & Safety

37© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Desired Solution Approach

IT

Disaster

Recovery

Business

Continuity

Health &

Safety

Emergency

Management

Crisis

Management

Information

Security

IT

Operations

Supply

Chain

Continuity

Physical

Security

Workforce

Continuity

Operational

Resilience

IT Disaster Recovery

Continuity of

Operation (COOP)Business

Continuity

Emergency

Management

Supply Chain

Continuity

Crisis

Manageme

ntContingency Planning

Pandemic

Planning

Preparedness

Planning

Operational Risk

Management

Enterprise Risk Management

IT Operations

Privacy

Risk

Management

Workforce

Continuity

Cyber Protection

Crisis Communications

Information

Security

Health & Safety

38© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Tools and Techniques Aspects

What structured (i.e., not ad hoc) frameworks could guide

and assist organizations?

Example:

• Resilience Management Model

39© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

What is Resilience Management Model?

Framework for managing and improving operational resilience

Guides implementation, mgmt, and sustainment of operational risk management activities

Improves confidence in how an organization manages and responds to operational stress

Focuses on “What” not “How”

Applicable to a variety of organizations• small or large

• simple or complex

• public or private

“…an extensive super-

set of the things an

organization could do to

be more resilient.”

- CERT-RMM adopter

40© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

A Sampling of RMM Success Stories

41© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

In Closing

42© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Sampling of ITS Emerging Capabilities

Advanced Driver

Assistant Systems

(ADAS)

• Smart lighting control

• Adaptive cruise control

• Lane departure warning

• Parking assistAdvanced fleet

Management

• Real-time telematics

• Driver fatigue detection

• Package tracking.

Smart Transportation

• Vehicle-to-infrastructure communications

• Smart intersection

• Traffic light control

• Collision avoidance

• Traffic management.

Autonomous

Driving

Convenience,

Comfort, &

Entertainment

• Keyless entry

• Remote engine start

• Mobile device integration

• Infotainment

Diagnostics &

Maintainability

• On-Board Diagnostics

• Software update in the garage

• Tire Pressure Monitoring

Etc., Etc., Etc. …

43© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Commonalities in Emerging Capabilities

Commonalities?

Information

Technology

&

Communication

Technology

44© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Primary Risks to Common Elements

Accidental

Information

Technology

&

Communication

Technology

Intentional

Design Flaws

Cybersecurity

Component Failures

45© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Cyber Risk Mitigation Challenge

Traditional IT cybersecurity contingencies are not feasible

• Failover over to a disaster recovery site

• Restoring from backup

• Failover to another vehicle

• Federal Motor Vehicle Safety Standards (FMVSS) timeframes precludes “Patch Tuesdays.”

• Can’t call a breach response team (AAA does not do that yet)

Successful management of cyber risk within ITS may

require a (significant) shift in thinking and approach.

46© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Promising and Proven Approach

Cyber

Resilience

Management

47© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

Thank you for your attention.

48© 2016 Carnegie Mellon University[Distribution Statement (A-F)]

References

1. J. H. Allen, R. H. Caralli, and D. W. White, CERT® Resilience Management Model: A Maturity Model for Managing

Operational Resilience, Addison-Wesley Professional, 2010.

2. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “A Proven Method for Identifying Security Gaps in International Postal

and Transportation Critical Infrastructure,” 93rd Annual Transportation Research Board Conference, Washington, DC,

January 13-18, 2014.

3. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “Improving the Security and Resilience of U.S. Postal Service Mail

Products and Services,” 93rd Annual Transportation Research Board Conference, Washington, DC, January 13-18,

2014.

4. N. Mehravari, "Cybersecurity Update,” a lecture as part of the Business Continuity and Crisis Management Summer

School, Massachusetts Institute of Technology, July 2015.

5. N. Mehravari, “Cyber and Operational Resilience Management,” half-day tutorial, planned for 2015 IEEE Military

Communications Conference (MILCOM’15), Tampa, FL, October 26-28, 2015.

6. N, Mehravari, “Principles and Practice of Operational Resilience,” half-day tutorial, IEEE Systems Conference,

Vancouver, BC, April 12-16, 2015.

7. N. Mehravari, “Information Resilience in Today's High-Risk Economy,” Software Engineering Institute Blog, November

17, 2014.