APTA 2011 Rail Conference. Controls & Communications Security Standards Development Work Group Recommended Practices for Securing Our Transit Systems

Transcription

1 APTA 2011 Rail Conference Controls & Communications Security Standards Development Work Group Recommended Practices for Securing Our Transit Systems Chuck Weissman Presented by Dave Teumim Working Group Chair Los Angeles Metro 1

2 The New Cyber Security Philosophy For Transit Systems My Systems Exist, therefore they are vulnerable. 2

3 Outline Vulnerabilities Need for Industry Standards What is APTA doing? Questions 3

4 Vulnerabilities: You Are Connected! (even if you think you are not) Indirect methods of malware infection Supply chain undesirable software/functions may already be embedded or pre-loaded in off-the-shelf equipment. Vendor may deliver infected software. Human factors irresponsible use of portable media (USB). Unauthorized data/program transfer. Inadequate physical security Who is touching or can touch your secure equipment? Inadequate Configuration Management You may not realize you have been connected through a change to the system! 4

5 Vulnerabilities: Off-the-shelf Components Open Doors Can no longer rely on proprietary networks, hardware and software for protection. Open standards and proliferation of readily available tools (both legitimate and malicious) make things easier for hackers and nonhackers. It is no longer necessary to hack the system. You only need to get inside. 5

6 Vulnerabilities: Connections are Inevitable: If you are not connected you will be Increasing pressure from management to obtain and share data Web enabled Public Information Systems interfaces are a growing trend FTA National Intelligent Transportation Systems Architecture Consistency Policy requires regional integration for certain funding eligibility 6

7 A Need For Industry Standards Guidance is needed: Securing our legacy systems Migration path for existing systems that are still in the maintenance lifecycle phase Procurement language for acquisition of new systems Influence the Vendors to develop secure products Security and the System Lifecycle 7

8 What is APTA Doing? APTA Security Standards Landscape Transit Control and Communications Systems Cyber Security Physical Security Logical Security Existing Standards and Practices NERC/CIP, NIST, EEE Others 8 Transit Enterprise Cyber Security APTA Standards Development Working Groups Transit Agencies Consultants Government (DHS, TSA, Volpe, Etc.) Vendors Recruitment of Expertise

9 What is APTA Doing? Recommended Practices APTA Recommended Practice Securing Control and Communications Systems in Transit Environments Part-1 published in 2010 provides guidance for organizing a successful control system security program and performing a risk assessment Part-2 will provide recommended standards for developing a security plan focusing on administrative, physical, and logical controls. 9

10 Recruit expertise from Transit Agencies, Consultants, Vendors and the Government Develop Generic Transit System Descriptions and Identify Potential Vulnerabilities Block diagrams What is APTA Doing? Standards Development Approach Functional descriptions Communications conduits 10

11 What is APTA Doing? Standards Development Approach Classify Transit Functions into Three Zones of Criticality Safety Critical Signaling and Interlocking Fire Life Safety Critical Operationally Critical Note: Other zone definition and controls are a business decision of each agency 11

12 What is APTA Doing? Standards Development Approach Identify Conduits of Communications Within and between security zones Within and between subsystems 12

13 What is APTA Doing? Standards Development Approach Consider the Various Physical Security Environments Office systems / Head-end equipment Remote Communications and Control Buildings/rooms Wayside equipment cases Mobile assets 13

14 What is APTA Doing? Standards Development Approach Leverage existing standards and bodies of work NIST/FIPS series publications NERC/CIP Consensus Audit Guidelines (CAG) IEC, IEEE, etc. Map existing standards to generic transit systems and fill in gaps with new standards. 14

15 Conclusion Our Transit Systems are vulnerable to Cyber Security attacks The Transit Industry needs recommended practices for securing our Transit systems APTA has commissioned a working group consisting of industry and government expertise Questions 15