Cybersecurity - What’s Next? June 2017

Complacency – Your Worst Enemy http://www8.hp.com/us/en/solutions/security/thewolf.html

Technology & Infrastructure: Data Breaches Source: Verizon 2017 Data Breaches Investigation Report

Types of Threat Bus hacking & remote control Website penetration Network intrusion Physical building intrusion Ransomware DOS & DDOS Weak password policy Lack of multi factor authentication Bots Printers Insider threats Social engineering

Technology & Infrastructure Key Concerns Protect Assets Endpoint Security Web Application Vulnerability Password Protection PCI/PII HIPAA Recognize External Threats Ransomware and espionage Physical theft/POS device attacks Compromise of assets (vehicles)

Technology & Infrastructure: Vehicle Hacking “Security By Obscurity” No Longer Applies CAN-Bus Vulnerability Open J1939 standards “Risk Points”: Brakes, Powertrain, GPS Hacking Activities Packet Snooping, Data Collection, Packet Injection Vulnerability Mitigation Securing the Vehicle CAN Bus Network Segregation & Isolation Intrusion Detection Tools Message Verification & Authentication Passwords On All Externally Facing Devices Vendor Review & Due Diligence Source: University of Michigan Transportation Research Institute

What is your level of maturity on information security?

Development Of A Security Strategy Determine acceptable levels of risk against how much investment is needed to meet business goals. Emerging Trends Could Do Should Do Must Do Risk-Based Decisions to Achieve Business Goals Proactive management Protection of Business Assets Baseline protection Compliance & Regulatory

One Option: SAMM Approach SAMM: Software Assurance Maturity Model SAMM defines four critical Business Functions. Each Business Function is a category of activities related to software development. For each Business Function, SAMM defines three Security Practices. Each Security Practice is an area of security-related activities that build assurance for the related Business Function. Overall, there are twelve Security Practices that are the independent silos for improvement that map underneath the Business Functions of software development.

Another Option: CESG Approach

CESG - 10 Steps to Cyber Security User Education and Awareness Produce user security policies covering acceptable and secure use of the organisation’s systems Establish a staff training programme Maintain user awareness of the cyber risks Headline Activities Status Simplified policies defined working through approvals 1 # Lack of budget Cyber risk survey carried out & emails sent to users Home and Mobile Working Develop a mobile working policy and train staff to adhere to it Apply the secure baseline build to all devices Protect data both in transit and at rest 2 Secure Configuration Apply security patches and ensure that the secure configuration of all ICT system is maintained Create a system inventory and define a baseline build for all ICT devices 3 Removable Media Controls Produce a policy to control all access to removable media Limit media types and use Scan all media for malware before importing onto the corporate system 4 Managing User Privileges Establish account management processes and limit the number of privileged accounts Limit user privileges and monitor user activity Control access to activity and audit logs 5 Policy defined & awaiting HR sign off and distribution In Place Servers OK PCs to be controlled by AV software Policies need enforcing In place Green does not mean we are comfortable with security in that area but shows management and focus is in place

CESG - 10 Steps to Cyber Security Incident Management Establish an incident response and disaster recovery capability Produce and test incident management plans Provide specialist training to the incident management team Report criminal incidents to law enforcement Headline Activities Status DR Yes / Incident response NO 6 # Plans in place and testing underway IT Training given but no wider In Place Monitoring Establish monitoring strategy and produce supporting policies Continuously monitor all ICT systems and networks Analyse logs for unusual activity that could indicate an attack 7 Malware Protection Produce relevant policy and establish anti malware defences that are applicable and relevant to all business areas Scan for malware across the organisation 8 Network Security Protect your networks against external and internal attack Manage the network perimeter Filter out unauthorised access and malicious content Monitor and test security controls 9 Defining and communicating your Board’s Information Risk Management Regime is central to your organisation’s overall cyber security strategy. CESG recommend you review this regime – together with the nine associated security areas described below in order to protect your business against the majority of cyber threats 10 Monitoring in place, policies under way Product being reviewed in US AV in place and active monitoring be done Monitoring in place Managed by 3rd party Green does not mean we are comfortable with security in that area but shows management and focus is in place

Priorities For Transportation Cybersecurity Standards, Policies and Procedures Develop, formalize and document policies and procedures in protecting against threats and improving resilience to such incidents. Information System Technology & Infrastructure Ensure the capability, maintenance, serviceability and interoperability of the organization’s physical and virtual infrastructure. Awareness, Training & Education: Focus on developing a general culture of awareness on cybersecurity Testing the awareness and maturity Risk Management Integrate security into the organization’s risk management strategy from the very top to align with the organization’s strategy, mission and goals. Source: “Cybersecurity Considerations for Public Transit” , American Public Transportation Association

Questions?