DOT/DHS: Joint Agency Work on Vehicle Cyber Security
|
|
- John Knight
- 6 years ago
- Views:
Transcription
1 DOT/DHS: Joint Agency Work on Vehicle Cyber Security Principal Investigator (PI): Kevin Harnett DOT-Volpe Center s Advanced Vehicle Technology Division August 16, 2017 The National Transportation Systems Center Advancing transportation innovation for the public good U.S. Department of Transportation Office of the Secretary of Transportation John A. Volpe National Transportation Systems Center Tampa Convention Center Tampa, Florida
2 Agenda Government Vehicles Security Program Telematics Overview Government Vehicles Program Software Engineering Institute (SEI) /CERT OBD-2 Dongle/Telematics Testing Government Vehicles Security Program Telematics Cybersecurity Guidance Development Volpe Center Automotive Cybersecurity R&D Showcase 2
3 DOT s Volpe National Transportation System Center Established in 1970 Part of U.S. Department of Transportation (DOT) Office of Research and Technology Mission: To Improve the nation s transportation system by serving as a center of excellence for informed decision making, anticipating emerging transportation issues, and advancing technical, operational, and institutional innovations Fee-for-service; no direct appropriations 3
4 DOT-Volpe Automotive Cybersecurity R&D Program Overview Joint DOT/DHS Automotive Cybersecurity R&D Program FY Program Tasks FY Program Tasks FY Program Tasks Automotive Cybersecurity Industry Consortium (ACIC) Program Initiation Investigate Government Fleet Cybersecurity Requirements Government Vehicle Cybersecurity Program Support Technical Support for DHS Automotive Cybersecurity R&D Tools and Vehicle Testing Automotive Cybersecurity Best Practices and Guidelines in the Private Sector ACIC Planning Support Pilot Cybersecurity Vulnerability Assessments of Vehicle Telematic Systems Operational ACIC Support Automotive Cybersecurity Tool Showcase Government Vehicle Cybersecurity Procurement Specification Support Commercial Truck Cybersecurity Support 4
5 DHS Cybersecurity for Government Vehicles Security Program Telematics Overview 5
6 Modern Vehicle Architecture 6
7 Government Critical Mission Use First Responder and Law Enforcement vehicles - Rescue, ambulance, police -Must be safe and reliable Undercover Vehicles mission critical -Must be safe and reliable -Blend in not tracked or identified either by emanating too much or by not emanating at all Government Official/Overseas Embassy Vehicles (e.g., "Black SUV") -Must be safe and need to hide Non-Tactical DoD Vehicles General use government vehicles -Vehicles that do not fall into above categories 7
8 General Services Administration (GSA) Telematics Program Telematics The term Telematics refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO , Federal Vehicle Fleets) Source: General Services Administration (GSA) Office of Fleet Management 8
9 General Services Administration (GSA) Telematics Program Telematics The term Telematics refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO , Federal Vehicle Fleets) EO 13693: Sustainability into the Next Decade (March 2016) Requirements - By 2017, all agencies should ensure that telematics collects the maximum vehicle diagnostics (fuel consumption, emissions, maintenance, utilization, idling, speed, and location data) at the asset level for acquisitions of new passenger, light duty and medium duty vehicles (where appropriate) Source: General Services Administration (GSA) Office of Fleet Management Executive Order Reporting Requirement GPS Tracking Only GPS Tracking & Vehicle Diagnostics Speed X X Location data X X Idling X X Utilization X X Maintenance X Fuel consumption Emissions (varies by year, manufacturer, make & model) X X 9
10 Government Fleet Management Telematics and Risks Logical Architecture Physical Architecture BCM ECM ENGINE TRANSMISSION C A N B U S CAN BUS CLUSTER LOCKS/ WINDOWS SECURITY Attack Surface Threats Connected to an External Network )) )) OBD DONGLE w/ TELEMATICS BASE STATION Provider Network Interfacing with a Public Network Providers Servers INTERNET accessible by Anyone Anywhere SERVICE CENTER FLEET MANAGER WHO ELSE?? 10
11 DHS Cybersecurity for Government Vehicles Program Software Engineering Institute (SEI)/CERT OBD-2 Dongle Testing 11
12 SEI/CERT OBD-2 Device Testing Configuration WiFi Access Point Ettus Research Software-Defined Radio Power Supply Linux laptop with OpenBTS SIM cards Bus Pirate Device Under Test Android Phones 12
13 SEI/CERT OBD-2 Device Testing Configuration (cont d) WiFi Access Point Ettus Research Software-Defined Radio Power Supply Linux laptop with OpenBTS SIM cards Bus Pirate Device Under Test Android Phones 13
14 Software Engineering Institute (SEI) /CERT OBD-2 Device Tests Development / un-configured device (Tested Q1 2016) Accepted unauthenticated admin commands via SMS Could load our own, trojaned firmware Unauthenticated Internet services No encryption in transit Production device (Tested Q1 2017) SMS disabled Can no longer force download of trojaned firmware Internet service appropriately firewalled Remaining risks Inherent cellular vulnerabilities Still no encryption in transit (Man-in-the-middle) 14
15 SEI/CERT: OBD-2 Device Tests Methodology Report Explains risks and potential impacts of security problems in OBD-II devices Describes a repeatable methodology for testing the devices for the most common security problems and misconfigurations Technical appendices detail how to perform some of the specialized testing and what equipment is needed Firmware Updates Wireless Security 15
16 DHS Cybersecurity for Government Vehicles Security Program Telematics Cybersecurity Guidance Development 16
17 Cybersecurity Primer for Fleet Managers o Fleet Management Information System (FMIS) is an Information System All Federal Information Systems require Federal Information Security Management Act (FISMA) compliance FISMA requires compliance with NIST standards o Multiple components to the system Vehicle Telematics Communications Management System Database o Primary responsibility is to protect Government personnel, property, and data 17
18 FISMA Compliance / NIST Guidance o Each Federal Agency Fleet Manager (FM) requires assessments using NIST guidance NIST SP * for guidance on security control implementation 18 Control families each related to policy, process, technical controls Access Control (AC) Audit & accountability (AU) Identification & Authentication (IA) Incidence Response (IR) Personnel Security (PS) Risk Assessment (RA) Awareness & Training (AT) Maintenance (MA) System & Service acquisition (SA) Security Assessment & Authorization (CA) Media Protection (MP) System & Communication Protection (SC) Configuration Management (CM) Physical & Environmental Protection (PE) *NIST Special Publication , Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4 (April 2013). System & Information Integrity (SI) Contingency Planning (CP) Planning (PL) Program Management (PM) 18
19 FISMA Compliance / NIST Guidance o Each Federal Agency Fleet Manager (FM) requires risk assessments using NIST guidance NIST SP for guidance on security control implementation 13 Control Families selected 19
20 FISMA Compliance / NIST Guidance ID FAMILY CONTROLS SELECTED AC Access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection 20
21 FISMA Compliance / NIST Guidance ( Firmware Updates Controls) ID FAMILY CONTROLS SELECTED AC Access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection Example Firmware Update Controls 21
22 FISMA Compliance / NIST Guidance ( Wireless Security Controls) ID FAMILY CONTROLS SELECTED AC access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection Example Wireless Security Controls 22
23 Telematics Recommendation Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device 23
24 Telematics Recommendation Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device o Protect Action of Devices/Systems It is recommended that implementation of the principle of least privilege is implemented on all devices o Protect Integrity of Devices/Systems It is recommended that manufacturers and/or maintainers of devices institute a *vulnerability response program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products * ISO/IEC 29147:2014 Information technology -- Security techniques -- Vulnerability Disclosure) ISO/IEC 30111:2013 (Information technology -- Security techniques -- Vulnerability Handling Processes) 24
25 Example Telematics Cybersecurity Risk Assessment Questionnaire Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o o o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device Protect Action of Devices/Systems It is recommended that implementation of the principle of least privilege is implemented on all devices Protect Integrity of Devices/Systems It is recommended that manufacturers and/or maintainers of devices institute a vulnerability response program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products 25
26 HEAVENS Risk Assessment Process Healing Vulnerabilities to Enhance Software Security and Safety (HEAVENS) is an attackercentric type of risk analysis tool utilizing STRIDE* threat definitions to correlate threats with security attributes * Microsoft s Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DOS) and Elevation of Privileges (STRIDE): 26
27 Available Documents Telematics Cybersecurity Primer for Agencies (June 2017) Telematics Cybersecurity Primer for Agencies Risk Assessment Questionnaire (June 2017) HEAVANS Risk Model and Program Deliverables (April 2016) 27
28 Volpe Center Automotive Cybersecurity R&D Showcase 28
29 DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Federal Programs and Labs Vehicle Cybersecurity Workshop (October 18) - Workshop for federally-funded Automotive Cybersecurity Programs (e.g. DHS, NHTSA, DARPA, Army/TARDEC, NIST, TC/DRDC, etc.) and Federal Laboratories (e.g. DOE, DoD, Federally-funded Research and Development Centers-FFRDCs, etc.) Bring together Federally Funded stakeholders to share information about and collaborate on ongoing and future Government projects in Automotive Cybersecurity Minimize duplication of efforts in Federal Automotive Cybersecurity R&D Workshop Report (available on request for Federal or Federal Contractor staff only) 29
30 Federal Programs and Labs Vehicle Cybersecurity Workshop - Conclusions Need for continued collaboration between federal laboratories Government Vehicles Telematics Cybersecurity Workshop (to be held in DC on December 13 th 2017) Feasibility study of virtual test vehicles and test benches
31 DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Cont d Open Source Automotive Cybersecurity Research Tool Forum (October 19-20) Many automotive cybersecurity Open Source Software (OSS) research tools are in development. Tools support areas: new hardware interfaces, discovery, injection, sniffing, reverse engineering, fuzzing, software defined radio (SDR) and simulation. Forum goals: Demonstrate the current state of the art in automotive cybersecurity tools on real automobiles Foster researcher-to-researcher relationships Share knowledge about cybersecurity research issues and automation challenges Incentivize increased academic and security researcher interest in automotive cybersecurity Connect tool developers with collaborators, end users, and potential funding sources Workshop Report (available on request) 31
32 Open Source Automotive Cybersecurity Research Tool Forum - Conclusions Virtual workbenches are needed due to limited vehicle access A growing proliferation of open source tools Open source tools are getting more powerful and sophisticated Open source software/hardware significantly lowers the entry barrier for researchers User as developer model creates positive feedback loop 32
33 Open Source Automotive Cybersecurity Research Tool Forum Next Steps Development of an Open Source OS Tools Portal for use by Government researchers, and academia Continuation of the Automotive Cybersecurity R&D Showcase type of event with more hands on activities (e.g. academia training classes) Continued outreach to the open source community 33
34 Questions 34
35 Contact Information Chase Garwood Program Manager Department of Homeland Security Science and Technology (S&T) HSARPA Cybersecurity Division (CSD) Phone: Kevin Harnett Cybersecurity Program Manager U.S. Department of Transportation Office of Research and Technology John A. Volpe National Transportation Systems Center (Volpe Center) Phone:
MINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationSecurity Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Security Control Mapping of CJIS Security Policy Version 5.3 s to NIST Special Publication 800-53
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More informationNIST Special Publication
DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology
More informationThe "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:
Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationAttachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan
Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203
More informationThe New Security Heroes. Alan Paller
The New Security Heroes Alan Paller apaller@sans.org How they attack Spam with infected attachments Web sites that have infected content The most dangerous: targeted attacks Fooling the victim into Installing
More informationRecommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationBig Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation
Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation Bill Valyo CA Technologies February 7, 2013 Session #12765 Quick Abstract: About this Presentation This presentation
More informationFISMA Compliance. with O365 Manager Plus.
FISMA Compliance with O365 Manager Plus www.o365managerplus.com About FISMA The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationRansomware. How to protect yourself?
Ransomware How to protect yourself? ED DUGUID, CISSP, VCP CONSULTANT, WEST CHESTER CONSULTANTS Ransomware Ransomware is a type of malware that restricts access to the infected computer system in some way,
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationFederal Mobility: A Year in Review
Federal Mobility: A Year in Review Link: https://www.dhs.gov/csd-mobile Link: https://www.dhs.gov/publication/csd-mobile-device-security-study Vincent Sritapan Cyber Security Division Science and Technology
More informationto Address Cyber Physical Systems Security (CPSSEC)
Combating Threats: S&T is Building a Resilient Cyber Ecosystem to Address Cyber Physical Systems Security (CPSSEC) Follow us at dhsscitech CPS Security is Critical Smart cars, grids, medical devices, manufacturing,
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationFISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP
FISMA-NIST SP 800-53 Rev.4 Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationSecuring the future of mobility
Kaspersky Transportation System Security AVL Software and Functions Securing the future of mobility www.kaspersky.com #truecybersecurity Securing the future of mobility Connected car benefits The need
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationCloudCheckr NIST Matrix
CloudCheckr NIST 800-53 Matrix FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards NIST CONTROL AC-2 ACCOUNT MANAGEMENT a. Identifies and selects the following types of information system
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationUNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)
UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update) Koji NAKAO, NICT, Japan (Expert of UNECE WP29/TFCS) General Flow of works in WP29/TFCS and OTA Data protection
More informationStatement for the Record
Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before
More informationNIST Special Publication
NIST Special Publication 800-53 Practical Application of the Minimum Baseline Security Controls Graydon S. McKee IV CISSP, GSEC A Framework for All Seasons With the finalization of Federal Information
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationProtecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities
Cybersecurity Basics For Energy Managers Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationNIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF) Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized
More informationControl Systems Cyber Security Awareness
Control Systems Cyber Security Awareness US-CERT Informational Focus Paper July 7, 2005 Produced by: I. Purpose Focus Paper Control Systems Cyber Security Awareness The Department of Homeland Security
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationNational Institute of Standards and Technology
National Institute of Standards and Technology April 2017 1 ITL Mission ITL promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and related technology through
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationPIPELINE SECURITY An Overview of TSA Programs
PIPELINE SECURITY An Overview of TSA Programs Jack Fox Pipeline Industry Engagement Manager Surface Division Office of Security Policy & Industry Engagement May 5, 2014 TSA and Pipeline Security As the
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationCloudCheckr NIST Audit and Accountability
CloudCheckr NIST 800-53 Audit and Accountability FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationContinuous Monitoring Strategy & Guide
Version 1.0 June 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization
More informationSecurity
Security +617 3222 2555 info@citec.com.au Security With enhanced intruder technologies, increasingly sophisticated attacks and advancing threats, your data has never been more susceptible to breaches from
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationBYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013
BYOD Transformation April 3, 2013 Joe Leonard Director, Secure Networks Agenda Joe Leonard Introduction CIO Top 10 Tech Priorities What is BYOD? BYOD Trends BYOD Threats Security Best Practices HIPAA Security
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationGreg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security
1 Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security 2 Government Services 3 Business Education Social CYBERSPACE
More informationCritical Infrastructure Sectors and DHS ICS CERT Overview
Critical Infrastructure Sectors and DHS ICS CERT Overview Presented by Darryl E. Peek II REGIONAL INTELLIGENCE SEMINAR AND NATIONAL SECURITY FORUM 2 2 Authorities and Related Legislation Homeland Security
More informationUsing ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.
Using ACR 2 Reports Creating Compliance Action Plans After entering and reviewing system data on information security, users will receive either a baseline or an update set of reports depending on whether
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationUNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21
National and Cyber Security Branch Presentation for Gridseccon Quebec City, October 18-21 1 Public Safety Canada Departmental Structure 2 National and Cyber Security Branch National and Cyber Security
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationSecuring the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.
Securing the Smart Grid Understanding the BIG Picture The Power Grid The electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change
More informationSecurity Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1
Security Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1 Document TMIC-003-N Version 1.1, 24 August 2012 1 Security and Privacy Controls
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationGerman OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer
German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer Daimler Business Units German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer
More informationCyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies
Cyber Security and Vehicle Diagnostics Mark Zachos DG Technologies SAE INTERNATIONAL SAE J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems Published January 2016; drive to a risk-based,
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSecure Product Design Lifecycle for Connected Vehicles
Secure Product Design Lifecycle for Connected Vehicles Lisa Boran Vehicle Cybersecurity Manager, Ford Motor Company SAE J3061 Chair SAE/ISO Cybersecurity Engineering Chair AGENDA Cybersecurity Standards
More informationHeavy Vehicle Cybersecurity Update. National Motor Freight Traffic Association, Inc.
Heavy Vehicle Cybersecurity Update National Motor Freight Traffic Association, Inc. National Motor Freight Traffic Association, Inc. (NMFTA) Industry non-profit representing more than 600 companies operating
More informationNational Cybersecurity Center of Excellence
National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Briefing to ITEA Cyber Workshop 29 March 2017 STRATEGY VISION ADVANCE CYBERSECURITY
More informationNIJ and Personnel Location Precision Indoor Personnel Location and Tracking for Emergency Responders Technology Workshop August 7 & 8, 2006
NIJ and Personnel Location Precision Indoor Personnel Location and Tracking for Emergency Responders Technology Workshop August 7 & 8, 2006 Joe Heaps Portfolio Manager, CommTech Office of Science and Technology
More information