CYBER SECURITY WHITEPAPER

Transcription

1 CYBER SECURITY WHITEPAPER

2 ABOUT GRIDSMART TECHNOLOGIES, INC. GRIDSMART Technologies, Inc. provides Simple, Flexible, and Transparent solutions for the traffic industry that collect and use data to make intersections and roadways safer and more efficient. GRIDSMART Technologies has two main products: The GRIDSMART System and STREETSMART. The GRIDSMART System, the GS 2 processor paired with the Bell Camera, uses object tracking and computer vision algorithms for detection and actuation at intersections. The GRIDSMART System uses its single Bell Camera to manage the entire intersection, greatly reducing installation time and maintenance expense. GRIDSMART System has the ability to collect valuable data in real-time that can be used by Smart Cities to improve the flow of traffic through intersections, plan for future needs, and respond. STREETSMART uses Wi-Fi technology to continuously stream travel time data of entire corridors. The STREETSMART data can be used to provide reports on origin and destination, identify inefficiencies that exist on a roadway, and update commuters on the conditions of their commute that day. GRIDSMART Technologies solutions make city roadways safer, smarter, and better for all citizens. The purpose of this document is to detail how GRIDSMART Technologies is addressing cyber security today and the services it will now be offering to its customers through its most recent partnership. GRIDSMART Technologies, Inc Hardin Valley Rd. Knoxville, TN info@gridsmart.com

3 INTRODUCTION The transportation system is rapidly changing. Leading that change is the ability to gather, process, and react to the conclusions that come from big data. From Smart City initiatives to the development of connected and autonomous vehicles as well as the projected growth of urban areas, effectively leveraging existing infrastructure becomes a challenge for the transportation industry. Without much risk of speculation, one can assume that data will drive the future of the industry. As the mountains of data continue to grow and the need for more complex solutions become apparent, the processing power required will continue to grow. Technology providers wanting to deliver these solutions must come up with a data processing strategy. The decision hinges on what needs to be processed at the cabinet (edge) and what can be processed in a less urgent and more cost-effective manner in the cloud. Speed and cost are two determining factors. Most technology companies and their customers usually arrive at the same conclusion a two-pronged strategy must be employed to provide the greatest value to the customer at a reasonable price point. However, with any new advancement comes new challenges. Increased connectivity requires an increased focus on security. In this aspect, the transportation industry is no different than any other industry. Cyber security needs to become more of a focal point. The other challenge for any industry or organization is that cyber security means not only focusing on what new technologies to buy but what training, procedures, and planning need to take place organization wide. Many organizations know they have cyber security needs, but fail to act because they don t know where to begin or how to wrap their arms around the process. We at GRIDSMART Technologies understand and share our customers security concerns and believe that we should be part of the solution in helping our customers take the first steps and navigate the path to becoming more cyber secure. That is why GRIDSMART Technologies is making cyber security a top priority not only to make our company s products better, but to provide solutions that meet our customers security needs.

4 BENEFITS OF CONNECTIVITY AND THE CLOUD GRIDSMART Technologies customers benefit today from device connectivity and data processing in the cloud in the following ways: 1. Customer intersection configurations are backed up to their GRIDSMART Cloud account, meaning customers will always be able (a) to recover in the event they need to recommission a new system at that site, (b) download the site to the Client on a new computer, and (c) share it with colleagues via Teams on GRIDSMART Cloud. 2. The system will self-correct its clock for time drift and daylight savings time eliminating the need for manual intervention. 3. System event alerts can be set up and team members can be notified by of events in mere seconds. System events include Published Changes, Startup, Camera Offline/Online, and/or Change of Network IP Address. 4. Performance data is backed up to GRIDSMART Cloud, including turning movement counts and signal performance metrics. Even if the customer doesn't have the Performance Module today, all the historical data is archived and available for future upgrades. 5. With the Performance Module, customers can create reports in the Client without connecting to the Processor or visiting the site with a USB drive. Customers can download the data directly from GRIDSMART Cloud. 6. Customers with the Performance Plus Module can set up and receive alerts for Volume Exceeded, Loss of Visibility, Flash (Loss of Greens), and Wrong Way Driver allowing customers to respond to situations before receiving complaints. 7. Connected systems provide customers with situational awareness, providing the ability to look at what is happening at an intersection in real-time. 9. STREETSMART is impossible to use without connectivity and data processing in the cloud. FUTURE APPLICATIONS CUSTOMERS WILL MISS OUT ON 1. Purdue Coordination Diagrams can only be run on GRIDSMART Cloud due to the processing power required. This is the first of many new reports and alerts that, due to the processing power required, will only be available in GRIDSMART Cloud. 2. Security patches and updates can be automatically pulled to units in the field increasing the security of the system while at the same eliminating the need to send personnel out to physically update the device. 3. In the more distant future, Connected Vehicle Applications/V2I applications like updating intersection maps, identifying insecure vehicles, and/or vehicle spoofing attacks are currently being worked on and will be necessary for safely enabling and managing connected vehicles on the roadway.

5 GRIDSMART CLOUD GRIDSMART Cloud is based entirely on and in Amazon Web Services (AWS). AWS and GRIDSMART Technologies have a close partnership and AWS recognized GRIDSMART Technologies as the winner of the City on a Cloud Innovation Challenge for being the partner with one of the most innovative technologies for cities. GRIDSMART Technologies partnership benefits customers in that AWS solution architects have reviewed the security measures employed to ensure the company meets AWS best practices. Also, GRIDSMART Technologies team has readily available access to the AWS technical team to provide aid or assistance at a moment s notice. GRIDSMART Technologies partnered with AWS based on security measures and protocols that AWS employs. AWS security is so highly regarded that the CIA and the US Department of Homeland Security use their cloud storage. The cost of building out and maintaining this type of security is staggering and would require hundreds of millions of dollars to come close to what AWS provides to partners. Detailed on the next page are a few of the security measures used to protect GRIDSMART Technologies data on AWS servers. If after reviewing this document customers still have concerns, GRIDSMART Technologies are happy to set up a call with an AWS representative to answer any questions and discuss security measures in more detail.

6 AMAZON WEB SERVICES SECURITY A) INFRASTRUCTURE SECURITY Amazon Web Services (AWS) provides several security capabilities and services to increase privacy and control network access. These include: Network firewalls built into Amazon VPC, web application firewall capabilities in AWS WAF that allow the creation of private networks, and control access to instances and applications Encryption in transit with TLS across all services Connectivity options that enable private, or dedicated, connections from the customer s office or on-premises environment B) DDoS MITIGATION Availability is of paramount importance in the cloud. AWS services and technologies are built from the ground up to provide resilience in the face of DDoS attacks. A combination of AWS services may be used to implement an in-depth defense strategy and thwart DDoS attacks. Services designed with an automatic response to DDoS help minimize time to mitigate and reduce impact.

7 C) DATA ENCRYPTION AWS offers GRIDSMART Technologies the ability to add an additional layer of security to data at rest in the cloud, providing scalable and efficient encryption features. This includes: Data encryption capabilities available in AWS storage and database services, such as EBS and S3 Flexible key management options, including AWS Key Management Service, allowing the customer to choose whether to have AWS manage the encryption keys or to enable complete control over keys In addition, AWS provides APIs for the customer to integrate encryption and data protection with any of the services customers develop or deploy in an AWS environment. D) INVENTORY AND CONFIGURATION AWS offers a range of tools to GRIDSMART Technologies to move fast while still ensuring that cloud resources comply with organizational standards and best practices. This includes: A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards Inventory and configuration management tools, including AWS Config, that identify AWS resources and then track and manage changes to those resources over time Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments

8 E) MONITORING AND LOGGING AWS provides tools and features that enable GRIDSMART Technologies to see exactly what is happening in the AWS environment. This includes: Deep visibility into API calls through AWS CloudTrail, including who, what, when, and from where calls were made Log aggregation options which streamlines investigations and compliance reporting Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded These tools and features give customers the visibility needed to spot issues before they impact the business, allowing improvements to security and reductions to the risk profile of their environment. F) IDENTITY AND ACCESS CONTROL AWS offers GRIDSMART Technologies the capability to define, enforce, and manage user access policies across AWS services. This includes: AWS Identity and Access Management (IAM) allowing customers to define individual user accounts with permissions across AWS resources AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators AWS Directory Service allows integration and federation with corporate directories to reduce administrative overhead and improve end-user experience AWS provides native identity and access management integration across many of its services plus API integration with any GRIDSMART Technologies applications or services.

9 DEVICE SECURITY MEASURES Other measures that GRIDSMART Technologies takes to protect hardware products in the field are the following: A) Connectivity- Using a secure VPN provides a protected connection between equipment in the traffic cabinet and the cloud. B) Hardware- Traffic data is analyzed and transmitted over LTE via a private Internet Protocol Security Virtual Private Network (IPsec VPN), which encrypts all data between the cabinet and the cloud. C) PEN Tested All hardware is PEN tested by third-party cyber security experts to identify security vulnerabilities enabling the GRIDSMART Technologies team to make improvements. D) Firewall Settings allow for limited access of incoming requests to only GRIDSMART Technologies known entities. E) Software Development Our team employs a comprehensive Security Software Development Lifecycle (SDLC) in all of its development and engineering processes.

10 SECURE DATA STORAGE AWS security measures meet the requirements of these organizations, adhering to standards such as ISO , PCI DSS, NIST , and FedRAMP. All data is confidential and protected via inbound and outbound network traffic filtering to prevent data leaks. Data is backed up several times a day. Backups are transferred over an encrypted link. Multiple secure data centers ensure connectivity is always available. The IP addresses of devices are not externally accessible and are on a private network. Amazon Web Services allows GRIDSMART Technologies to mitigate DDoS attacks, coming with a % uptime guarantee. GRIDSMART Technologies leverages the reliable networks and secure practices of our wireless and cloud partners. Our dedicated teams at GRIDSMART Technologies and AWS focus on monitoring the systems, deploying patches, and evolving the system to respond to future and unknown threats.

11 SECURITY RESPONSE PROCESS GRIDSMART Technologies engineers work and build products with security in mind. A few of the ways are listed below: Engaging experts to proactively test and review the security of all GRIDSMART Technologies products Automatically pushing of security software patches. In cases of a major security patch it may not be possible to push this out to the units. In those instances, we will provide a USB drive to customers with the security patch to upload on the physical device. Informing our customers of security vulnerabilities at Accepting external reports of vulnerabilities in our products at security@gridsmart.com.