Presentation Overview - US Department of Transportation

NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011 Presentation Overview Purpose of the study Study approach and methodology Lessons Learned 2 Study Purpose Seek best practices in industries with similar concerns, risks, and constraints to the Automotive industry (NOT a study of cybersecurity in Automotive) Get a sense of where others are in tackling cybersecurity and where they are going Bring forward key learnings to help NHTSA craft a strategic roadmap for automobile electronic resiliency Parallel study of system reliability of safety-critical automobile electronic systems 3 Research Approach Reviewed academic research, standards, etc. Open solicitation to learn from any and all cyber

experts Literature Review Request For Information Sought out specific experts to discuss cyber security best practices These three elements resulted in final findings 4 SME Interviewing Fin din gs Industries/Sectors Studied and Why Information Technology Foundation of cyber security best practices Telecommunications Wireless enabled Internet, cloud computing, etc. has led to: Increased threat vectors of hacking community Made hacking more sophisticated (shared online tools, hacking social networks, etc.) 5

Industries/Sectors Studied and Why Aviation Aircraft-airspace very similar to vehicle-roadway E-enabled aircraft mirrors highly IT-intensive, connected vehicle Advent of NextGen parallels Cooperative Vehicle FAA has been working security issue for years Industrial Control Systems/Energy Infrastructure (networks/devices) often located in public Migrating forward with new IT and Telecommunications; security addressed later DHS (ICS) , NRC (Nuclear), and FERC (Energy) have been working the security issue for some time 6 Industries/Sectors Studied and Why Financial Payments Highly distributed risk (accepting merchants, online storefronts, processors, etc.) Need to secure networks outside of the card issuers purview Medical Devices Extremely safety/life critical Extremely high degree of privacy 7

Overarching Cybersecurity Issues Transportation mission is currently safety not security Must correlate security and safety; you cant have a safe system without a secure system Operational systems extensively connected via IT and mesh communications networks Systems are no longer closed; therefore potentially more vulnerable Perception that there is no ROI for security Security must be a lifecycle approach 8 Information Security Lifecycle 9 Security Lifecycle NIST 800 Series/FIPS Starting Point FIPS 199 / SP 800-60 CATEGORIZE SP 800-37 / SP 800-53A Information System FIPS 200 / SP 800-53

MONITOR Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. SELECT Security Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 AUTHORIZE Information System Security Life Cycle Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SP 800-39 SP 800-70 SP 800-53A

ASSESS Determine risk to organizational operations and assets, individuals, other Security Controls organizations, and the Nation; if acceptable, authorize operation. Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). 10 Controls IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Industry Best Practices Findings 11 Key Learning Source Industry

Cybersecurity is a lifecycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program All The Aviation industry seems to be the tightest parallel to the FAA/Volpe Center Automotive industry 12 Strong leadership from the Federal government is needed for development of industry-specific cybersecurity standards, guidelines, and best practices FAA Get involved in the rule-making process early; for example, the FAA has learned that they must take an active role in vulnerability assessment and a collaborative role with the industry to identify mitigation approaches that translate into technical solutions FAA 13 Key Learning Source Industry

Private sector industry believes government should identify a set of minimum security requirements; specifically performance specifications not technical specifications Aviation, Automotive Ongoing shared learning with other Federal government agencies is beneficial FAA, NRC, NIST Use of NIST Cybersecurity Standards for a baseline is a way to accelerate development of an industry-specific cybersecurity guideline FAA, NIST, NRC, Automotive Leverage of international cybersecurity efforts are a key source of learning; for example EVITA efforts and TimedTriggered Communications Protocol Automotive, Aviation Key Learning Source Industry Government should lead the development of a

cybersecurity simulator which can facilitate identification of vulnerabilities and risk mitigation strategies and can be used for: Collaborative learning (government, academia, private sector, international) Federal Rule-making FAA There must be cybersecurity standards for the entire supply Automotive, chain Financial Payments Government should help foster industry cybersecurity groups for exchange of cybersecurity information 14 IT, DHS, NIST Key Learning Source Industry Use of Professional Capacity Building to address All cybersecurity skillsets that must be acquired by operational system designers and engineers Connected Vehicle security must be end-to-end; vehicles, Aviation, infrastructure and V2X communication must ALL be secure. Automotive

15 Findings Linked to Security Lifecycle Assess Design Implement Operate t d e en ity n i ty an r m ur d n nd io ur y s t t u n t

c n s c i c e a tio t a n Se g tio e za te ur on Se ss iti hi on nta Tes atio n d nin tec ons a icy S ec ati A r i c t o e e p r g l k u a i a ri A

in Po em valu Ris di lem rity val ess Tra n D es P h y e t t R is E e s m p cu E ren ri sio em bl iv Sy st a Re Im Se cu ru ta at y e t s w

r S S E A In Ite Aviation as Parallel Industry Best Practices Identified Strong Federal Leadership 16 End-to-End Connected Vehicle Security Leveraging International Cybersecurity Efforts Fostering Industry Cybersecurity Groups Ongoing Shared Learnings with other Federal Agencies Early Involvement in RuleMaking Mandate Standards for Supply Chain System Design & Operators Cyber Acumen Identify Minimum Security Requirements Develop a Cybersecurity

Simulator Identify a Standards Development Baseline

CONTACT INFORMATION Michael Dinning US DOT John A. Volpe National Transportation Systems Center [email protected] Edward Fok FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team [email protected] Timothy Weisenberger US DOT John A. Volpe National Transportation Systems Center [email protected] 17

Recently Viewed Presentations

  • Chapter 1

    Chapter 1

    Hasil-hasilnya adalah kejadian yang tidak terikat satu sama lain, Daftar hasilnya lengkap. Jadi jumlah probabilitas dari berbagai kejadian adalah 1. ... Sampling Techniques & Sample Size, Presentation Material of Biostatistic, High Institute of Public Health, University of Alexandria. Akhir ...
  • Why Study Pop Culture? Effective Class Discussions Analytical

    Why Study Pop Culture? Effective Class Discussions Analytical

    Quickwrite #2. Before you write: Definition time! A "cultural icon" is a piece of pop culture (an image, a celebrity, a musical artist, etc.) that is so popular as to be immediately recognizable to most people in a culture AND...
  • The UN Ad Hoc Committee

    The UN Ad Hoc Committee

    Widely Held Assumption #1 NGOs are the impetus for human rights (and humanitarian) law making Mine Ban Treaty Convention on the Rights of the Child Convention on the Rights of Persons with Disabilities Origins of the Process Durban, South Africa...
  • Measuring What Matters -- CTC's New Approach to Measuring PR ...

    Measuring What Matters -- CTC's New Approach to Measuring PR ...

    Highlight sweet spot, put a pic of Prince William and Kate in center. then grow the center. Could we do visuals in the circles? or is that too busy? Where do I start? Is a question I get frequently, and...
  • Heizer/Render 11e -

    Heizer/Render 11e -

    Heizer and Render Operations Management, Eleventh Edition ... COUNTRY COMPONENT Cobham UK Fuel pumps and valves Rolls-Royce UK Engines Smiths Aerospace UK Central computer systems BAE Systems UK Electronics Alenia Aeronautica Italy Upper center fuselage and horizontal stabilizers Toray ...
  • Historical Period 5 Expansion, Separation, & a New Union

    Historical Period 5 Expansion, Separation, & a New Union

    -a development in a diff. historical period, situation, era, or geographical area - A course theme &/or approach to history that is not the focus of the essay (i.e. political, economic, social, cultural, or intellectual history) ... Union to Disunion....
  • 24 Hour Clock

    24 Hour Clock

    1/21/2009 2:57:18 PM Document presentation format: On-screen Show Company: RM plc Other titles: Arial Calibri Blackadder ITC Default Design 24 Hour Clock There are 24 hours in a day! In 12 hour time Count the hours in the day… In...
  • Noel Pearson - EnglishSchmenglish

    Noel Pearson - EnglishSchmenglish

    Composer: Noel Pearson. ... he is able to present his arguments in a formal and educated way and is greatly aided with his lawyer background. Throughout the speech, he is able to incorporate personal perspectives, priceless views which have indeed...