PROVIDING RESILIENCY ANDSECURITY FOR INTELLIGENTTRANSPORTATION SYSTEMS

Larry Jaffe

AECOM

ITSVA Annual ConferenceMay 4, 2017

– Larry Jaffe, CISSP, GICSP

Over 25 years of experience designing and engineering security, communications and audiovisual systems

• SME for control system cyber security• Project manager

Introduction

Examples

January 200812 people injured when a 14 year old boy uses a modified TV remote control to derails Polish trams. Discovered trams used IR to signal track controls. Recorded and replayed IR signals.

– http://www.risidata.com/

August 20, 2003CSX halted passenger and freight train traffic in response to a worm infection. The worm infected the telecommunications network that supported both their signal system and dispatch system. Service was affected in 23 states.

December 23, 2015Power outage in Ukraine was caused by BlackEnergy Malware. The infection was implanted with a spear phishing email with a malicious Microsoft Office (MS Word) attachment.

Multiple IncidentsHacked portable message signs are a common occurrence as they are often left unlocked. The instructions for programming them are easily searchable online.

ICS is vulnerable to cyber attack

Attacks have real-world impact– Life safety, reputation

New vulnerabilities discovered every week

Motorist and board level awareness because of recent major cyber breaches (Target, OPM, Sony, etc.)

200-300 Reported Incidents Each Year

2014 Incidents by Sector

ICS Cyber Incidents

Threat Actors

Cyber Kill Chain

Increasing risk & cost to contain & remediate

Reconnaissance Weaponization Delivery Exploitation Installation Command &

ControlActions on

Intent

Attacker research Create malware Phish or similar attack

Malware exploits vulnerability

Operations of malware

Attacker control of system

Lateral movement & Exfiltration

MANAGING RISK

Implement an Information Security Program

– Security and Risk management

– Asset Security

– Security Engineering

– Communications and Network Security

– Identity and Access Management

– Security Assessment and Testing

– Security Operations

– Software Development Security

Categorize

Select Controls

Implement Controls

Assess Controls

Authorize System

Monitor Controls

Risk Management

Process

Best Practices (a VERY abbreviated list)

– Educate your users about phishing• Lots of free awareness material available• White-phish your users

– Inventory your system assets• The adversary knows what’s really running on your network.

Do you?

– Patch, Patch, Patch

Questions?