NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011.

Slides:

Advertisements

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Advertisements

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

2014 Key Issues – National Security John C. Rose Deputy Director, Public Policy Region 6 Chair, National Security Sub-Committee.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

The U.S. Coast Guard’s Role in Cybersecurity

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Risk Assessment Frameworks

Jeju, 13 – 16 May 2013Standards for Shared ICT HIS – Smart Grid Karen Bartleson, President, IEEE Standards Association Document No: GSC17-PLEN-72 Source:

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

Complying With The Federal Information Security Act (FISMA)

US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.

Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.

Robert Arnold Federal Highway Administration Director, Office of Transportation Management.

by Joint Commission International (JCI)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Seán Paul McGurk National Cybersecurity and Communications

1 © 2003 Cisco Systems, Inc. All rights reserved. CIAG-HLS Security For Infrastructure Protection: Public-Private Partnerships KEN WATSON 15 OCT.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

NIST Special Publication Revision 1

The Challenge of IT-Business Alignment

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

IntelliDrive SM Strategic Plan 2009 Ted Trepanier SSOM – SCOTE Manchester The IntelliDrive SM logo is a service mark of the U.S. Department of Transportation.

Homeland Security UNCLASSIFIED United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cyber Security and the Marine Transportation System.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

ITS Standards Program Strategic Plan Summary June 16, 2009 Blake Christie Principal Engineer, Noblis for Steve Sill Project Manager, ITS Standards Program.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

ITS ePrimer Module 14: Emerging Opportunities and Challenges September 2013 Intelligent Transportation Systems Joint Program Office Research and Innovative.

Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.

Understanding Technology Stakeholders: Their Progress and Challenges John M. Gilligan Software Assurance Forum November 4, 2009.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Mission: NCSA’s mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, protecting.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Enterprise Cybersecurity Strategy

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

FFIEC Cyber Security Assessment Tool

U.S. Department of Agriculture eGovernment Program Smart Choice Pre-Select Phase Transition September 2002.

1 Industry Advisory Council’s Enterprise Architecture Shared Interest Group (IAC EA SIG) Collaborative Approach to Addressing Common Government- Industry.

Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.

Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Iowa Emergency Management Association Iowa Homeland Security and Emergency Management Department Emergency Management Program Development Course EMERGENCY.

Cybersecurity of Smart City Technologies Assessing the Security, Interoperability and Governance Issues Angelos Stavrou, J.P. Auffret, Dan Fleck and Constantinos.

U.S. DEPARTMENT OF ENERGY Joint IEPR Workshop on Climate Adaptation and Resiliency for the Energy Sector Energy Sector Climate Resilience CRAIG ZAMUDA,

SAE Cybersecurity Standards Activity

California Cybersecurity Integration Center (Cal-CSIC)

About the NIS directive

Karen Bartleson, President, IEEE Standards Association

An Urgent National Imperative

Cybersecurity ATD technical

Group Meeting Ming Hong Tsai Date :

Energy Storage & Cyber Security

Presentation transcript:

NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011

Presentation Overview Purpose of the study Study approach and methodology Lessons Learned 2

Study Purpose Seek best practices in industries with similar concerns, risks, and constraints to the Automotive industry (NOT a study of cybersecurity in Automotive) Get a sense of where others are in tackling cybersecurity and where they are going Bring forward key learnings to help NHTSA craft a strategic roadmap for automobile electronic resiliency Parallel study of system reliability of safety-critical automobile electronic systems 3

Research Approach Open solicitation to learn from any and all cyber experts 4 Literature Review Request For Information SME Interviewing Findings These three elements resulted in final findings Sought out specific experts to discuss cyber security best practices Reviewed academic research, standards, etc.

Industries/Sectors Studied and Why Information Technology Foundation of cyber security best practicesTelecommunications Wireless enabled Internet, cloud computing, etc. has led to: Increased threat vectors of hacking community Made hacking more sophisticated (shared online tools, hacking social networks, etc.) 5

Industries/Sectors Studied and WhyAviation “Aircraft-airspace” very similar to “vehicle-roadway” E-enabled aircraft mirrors highly IT-intensive, connected vehicle Advent of NextGen parallels Cooperative Vehicle FAA has been working security issue for years Industrial Control Systems/Energy Infrastructure (networks/devices) often located in public Migrating forward with new IT and Telecommunications; security addressed later DHS (ICS), NRC (Nuclear), and FERC (Energy) have been working the security issue for some time 6

Industries/Sectors Studied and Why Financial Payments Highly distributed risk (accepting merchants, online storefronts, processors, etc.) Need to secure networks outside of the card issuers’ purview Medical Devices Extremely safety/life critical Extremely high degree of privacy 7

Overarching Cybersecurity Issues Must correlate security and safety; “you can’t have a safe system without a secure system” Transportation mission is currently safety not security Systems are no longer closed; therefore potentially more vulnerable Operational systems extensively connected via IT and mesh communications networks Perception that there is “no ROI for security” Security must be a lifecycle approach 8

Information Security Lifecycle 9

Security Lifecycle – NIST 800 Series/FIPS 10 Security Life Cycle SP Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP A ASSESS Security Controls ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP / SP A MONITOR Security State MONITOR Security State SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

Industry Best Practices Findings 11

12 Key LearningSource Industry Cybersecurity is a lifecycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program All The Aviation industry seems to be the tightest parallel to the Automotive industry FAA/Volpe Center Strong leadership from the Federal government is needed for development of industry-specific cybersecurity standards, guidelines, and best practices FAA Get involved in the rule-making process early; for example, the FAA has learned that they must take an active role in vulnerability assessment and a collaborative role with the industry to identify mitigation approaches that translate into technical solutions FAA

13 Key LearningSource Industry Private sector industry believes government should identify a set of minimum security requirements; specifically performance specifications not technical specifications Aviation, Automotive Ongoing shared learning with other Federal government agencies is beneficial FAA, NRC, NIST Use of NIST Cybersecurity Standards for a baseline is a way to accelerate development of an industry-specific cybersecurity guideline FAA, NIST, NRC, Automotive Leverage of international cybersecurity efforts are a key source of learning; for example EVITA efforts and Timed- Triggered Communications Protocol Automotive, Aviation

14 Key LearningSource Industry Government should lead the development of a cybersecurity simulator which can facilitate identification of vulnerabilities and risk mitigation strategies and can be used for:  Collaborative learning (government, academia, private sector, international)  Federal Rule-making FAA There must be cybersecurity standards for the entire supply chain Automotive, Financial Payments Government should help foster industry cybersecurity groups for exchange of cybersecurity information IT, DHS, NIST

15 Key LearningSource Industry Use of Professional Capacity Building to address cybersecurity skillsets that must be acquired by operational system designers and engineers All Connected Vehicle security must be end-to-end; vehicles, infrastructure and V2X communication must ALL be secure. Aviation, Automotive

Findings Linked to Security Lifecycle 16

CONTACT INFORMATION 17 Michael Dinning US DOT John A. Volpe National Transportation Systems Center Edward Fok FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team Timothy Weisenberger US DOT John A. Volpe National Transportation Systems Center