National Academies Press: OpenBook
« Previous: Chapter 7 Security Programs and Support Frameworks
Page 127
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 127
Page 128
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 128
Page 129
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 129
Page 130
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 130
Page 131
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 131
Page 132
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 132
Page 133
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 133
Page 134
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 134
Page 135
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 135
Page 136
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 136
Page 137
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 137
Page 138
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 138
Page 139
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 139
Page 140
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 140
Page 141
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 141
Page 142
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 142
Page 143
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 143
Page 144
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 144
Page 145
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 145
Page 146
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 146
Page 147
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 147
Page 148
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 148
Page 149
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 149
Page 150
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 150
Page 151
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 151
Page 152
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 152
Page 153
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 153
Page 154
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 154
Page 155
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 155
Page 156
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 156
Page 157
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 157
Page 158
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 158
Page 159
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 159
Page 160
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 160
Page 161
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 161
Page 162
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 162
Page 163
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 163
Page 164
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 164
Page 165
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 165
Page 166
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 166
Page 167
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 167
Page 168
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 168
Page 169
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 169
Page 170
Suggested Citation:"Appendices." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 170

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

127 Appendices Appendix A References and Sources Appendix B Acronyms Appendix C Glossary

A - 1 References and Sources Contents General Cybersecurity ................................................................................................................. 1 Cybersecurity and Transportation ............................................................................................... 2 Industrial Control Systems Cybersecurity .................................................................................. 4 Transportation System Vulnerabilities ........................................................................................ 6 Risk Assessment and Management ............................................................................................. 9 Countermeasures ....................................................................................................................... 10 Training ..................................................................................................................................... 13 Standards and Recommended Practices .................................................................................... 14 General Cybersecurity Cyber Attacks, E. Amoroso, Elsevier, 2010 “Key Principles of Cyber Security”, Accenture, 2013 Enterprise Information Security and Privacy, J. L. Bayuk, D. Schutzer, Artech House, January 2009 Cyber Security Policy Guidebook, Bayuk, J., J. Healy, et al. , Hoboken, NJ, Wiley, 2012 Engineering Information Security, S. Jacobs, Wiley, 2011 Cybercrime, Cyberpower and National Security, F. D. Kramer, S. H. Starr and L. Wentz, eds., Potomac Books, Inc., 2009 CIP Report: Cybersecurity, George Mason University Center for Infrastructure Protection Volume 10, Number 10, April 2012 The IT Industry’s Cybersecurity Principles for Industry and Government, Information Technology Industry Council, 2011 Glossary of Key Information Security Terms, National Institute of Standards and Technology (NIST), NISTIR 7298, Revision 2, May 2013 Special Publication (SP) 800-100 : Information Security Handbook: A Guide for Managers, NIST, March 2007

A - 2 Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards (FIPS) Publication 200, March 2006 “Thirteen Principles to Ensure Enterprise System Security”, G. McGraw, SearchSecurity, 2013 “Least Privilege and More”, F. B. Schnedier. Cornell University, IEEE Computer Society, 2003 "The Protection of Information in Computer Systems", J. Saltzer, M. D. Schroeder, Proceedings of the IEEE 63, 9 pp.1278-1308, 1975 Cybersecurity Surveys Department Of Commerce Computer Security Survey, 2001 Rand National Computer System Security Survey, 2005 InformationWeek 2012 Federal Cybersecurity Survey, March 2012 2012 Deloitte-NASCIO Cybersecurity Study "State governments at risk: a call for collaboration and compliance”, 2012 Global State of Information Security Survey, Price Waterhouse Cooper, 2013 ICS SCADA Cyber Security Survey, SANS 2013 Firefly, 2014 Cybersecurity and Transportation ABI Research, Cellular M2M Connections Will Show Steady Growth to Top 297 Million in 2015 October 18, 2010 American Public Transportation Association, Recommended Practice: Securing Control and Communications Systems in Rail Transit Environment, Part 1: Elements, Organization and Risk Assessment/Management ; Part 2: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones; Part 3, 2010 -2015 American Public Transportation Association, Cybersecurity Considerations for Public Transportation, 2014 American Public Transportation Association, Recommended Practice on Selecting Cameras, Recording Systems, High-Speed Networks and Trainlines for CCTV Systems, 2011 API Standard 1164: Pipeline SCADA Security, 2009

A - 3 System Assurance, Operations and Reactive Defense for Next Generation Vehicles, Intelligent Highway Infrastructure, and Road User Services, S. H. Bayless, S.Murphy, A. Shaw, ITS Technology Scan Series, January 2014 “Railway Security Issues: A Survey Of Developing Railway Technology”, A. H. Carlson, D. Frincke and M. J. Laude, Proceedings of the International Conference Computing, Communications, and Control Technology (CCCT), 2003 "Railroads and the Cyber Terror Threat", A.Carlson, D.Frincke, and M.Laude Technical Report CSDS-DF-TR-03- 14, Center for Secure and Dependable Systems, University of Idaho, 2003 The Roadmap to Secure Control Systems in Transportation, DHS 2012 Assessing the Security and Survivability of Transportation Control Networks, P. Oman, National Institute for Advanced Transportation Technology, 2005 Introduction to Cyber Security Issues for Transportation, T3 Webinar, M. G. Dinning, Volpe and RITA, US DOT, December 2011 Cyber Concerns for Transportation Organizations – an Overview, FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team, E. Fok Webinar, RITA, US DOT, December 2011 Cyber Security Challenges: Protecting Your Transportation Management Center, Fok, Edward, ITE Journal, February, 2015. “Transportation Security”, Hunt, S. in Enterprise Information Security and Privacy , C. W. Axelrod, J. Bayuk and D. Schutzer eds., Artech House: 181-189, 2009 ITSA Connected Vehicle Assessment – Cybersecurity and Dependable Transportation, Connected Vehicle Technology Scan Series, 2012-2014 ITSA Machine to Machine Communications, Connected Vehicle Technology Scan Series, 2011- 2012 ITSA Website, www.itsa.gov Cybersecurity Best Practices, National Highway and Traffic Safety Agency (NHTSA), 2014 Industrial Control Systems, the NIST Risk Management Framework, and Special Publication 800-82, NIST, Nov 2012 PPT NIST Special Publication 800-82, Guide to Industrial Control Systems Security, Revision 4, 2015 TCRP 80 Transit Security Update: A Synthesis of Transit Practice, Y. Nakanishi, Transportation Research Board, 2009

A - 4 Assessing the Security and Survivability of Transportation Control Networks, P. Oman, National Institute for Advanced Transportation Technology, 2005 Connected Vehicle Research Program Presentation, Sheehan, Robert, ITSJPO, USDOT Transportation Research Board Special Report 274: Cybersecurity of Freight Information Systems: A Scoping Study, Transportation Research Board, 2003 “The Roadmap to Secure Control Systems in Transportation”, National Transportation Systems Center VOLPE, Presentation made at TRB Cyber Subcommittee Teleconference, October 2012 Cyber-Physical Systems. http://cyberphysicalsystems.org/ accessed March 6, 2015 SECUR-ED Cyber-security roadmap for PTOs “Cybersecurity and Dependable Transportation”, Outreach Presentation, TSA Cyber Security Working Group Cyber Security Awareness and Outreach, Information Assurance and Cyber Security Division (IAD), Office of Information Technology (OIT), TSA/DHS, 2012 USA PATRIOT Act of 2001, P.L.107-56 Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity” , February 12, 2013 National ITS Architecture 7.1, U.S. Department of Transportation ITS Joint Program Office FHWA Presentation Slides on Cyber Security TRB: Connected Vehicles Security, Van Duren, Drew, Oct., 2014 A Summary of Cybersecurity Best Practices, Volpe, NHTSA, October, 2014 Industrial Control Systems Cybersecurity American Public Transportation Association, Recommended Practice: Securing Control and Communications Systems in Rail Transit Environment, Part 1: Elements, Organization and Risk Assessment/Management, July 2010. Part 2: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones Hidden Vulnerabilities in SCADA and Critical Infrastructure Systems, E. Byres, 2008 Critical Infrastructure Protection: Challenges In Securing Control Systems, R. Dacey, Government Accountability Office (GAO), 2003 Transportation Industrial Control Systems Cybersecurity Standards Strategy, DHS, 2012

A - 5 Security for Critical Infrastructure SCADA Systems, A. Hildick-Smith, SANS Institute, 2005 “Understanding the Physical and Economic Consequences of Attacks Against Control Systems”, Y.Huang, A. A. Cárdenas, S. Amin, Z.Lin, H.Tsai, S. Sastry, International Journal of Critical Infrastructure Protection Vol 2, Issue 2, October 2009 Lessons Learned from Cybersecurity Assessments of SCADA Systems, National SCADA TestBed Program, Idaho National Laboratory, 2006 A Baseline Standard for Industrial Control Systems, ISA/IEC-62443 Cybersecurity for Industrial Control Systems, Macaulay, Tyson and Singer, Bryan,. CRC Press, 2012 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security, Special Publication 800-82, NIST, September 2006 NIST Special Publication 800-82, Guide to Industrial Control Systems Security, 2011 “Concerns About Intrusions into Remotely Accessible Substation Controllers and SCADA Systems”, P. Oman, E.O. Schweitzer III, D. Frincke, Paper #4, 27th Annual Western Protective Relay Conference, Spokane, WA, 2000 “SCADA HoneyNet Project: Building Honeypots for Industrial Networks”, V. Pothamsetty and M. Franz, SourceForge, 2008 “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies”, Rinaldi, et al., IEEE Control Systems Magazine, 2001 “Assessment of the Vulnerabilities of SCADA, Control Systems and Critical Infrastructure Systems”, R. J. Robles, M. Choi, International Journal of Grid and Distributed Computing Vol.2, No.2, June 2009 “SCADA System Vulnerabilities to Field-Based Cyber Attacks”, W. T. Shaw, Electric Energy, September-October, 2004 “Common Vulnerabilities in Critical Infrastructure Control Systems”, Stamp, Dillinger, Young, DePoy, Sandia National Laboratories, May 2003 “Vulnerabilities in SCADA and Critical Infrastructure Systems”, R. J. Robles, M. Choi, E. Cho, S. Kim, G. Park, S. Yeo, International Journal of Future Generation Communication and Networking, Vol. 1, No. 1, 2008 Control System Devices: Architectures and Supply Channels Overview, Schwartz, M. D., J. Mulder, et al, Albuquerque, New Mexico, Sandia National Laboratories, 2010

A - 6 “Cyberthreats, Vulnerabilities and Attacks on SCADA”, R. Tang, UC Berkeley, 2009 “Protecting Critical Infrastructure: SCADA Network Security Monitoring”, Tenable Network security whitepaper, August 1, 2008 Industrial Network Security, 2nd Edition, Teumim, David J., International Society of Automation, 2010 Protecting Industrial Control Systems from Electronic Threats, Weiss, J., Momentum Press, 2010 Transportation System Vulnerabilities American Public Transportation Association, Recommended Practice: Securing Control and Communications Systems in Rail Transit Environment, Part 1: Elements, Organization and Risk Assessment/Management, July 2010. Part 2: Hidden Vulnerabilities in SCADA and Critical Infrastructure Systems, E. Byres, 2008 “Security Incidents and Trends in SCADA and Process Industries”, E. Byers, D. Leversage, M. Kube, The Industrial Ethernet Book, Issue 45, 2008 “Research Challenges for the Security of Control Systems”, A. A. Cárdenas, S. Amin, S. Sastry, 3rd USENIX workshop on Hot Topics in Security (HotSec '08). Associated with the 17th USENIX Security Symposium, San Jose, CA, USA. July 2008 Computer Emergency Response Team (CERT) http://www.cert.org/ Critical Infrastructure Protection: Challenges In Securing Control Systems, R. Dacey, Government Accountability Office (GAO), 2003 Resilient Military Systems and the Advanced Cyber Threat, Defense Science Board, 2013 Common Cybersecurity Vulnerabilities in Industrial Control Systems, U.S. Department of Homeland Security (DHS) National Cyber Security Division’s Control Systems Security Program, May 2011 Introduction to Cyber Security Issues for Transportation, T3 Webinar, Michael G. Dinning, Volpe and RITA, US DOT, December 7, 2011 Cyber Concerns for Transportation Organizations – an Overview, FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team, Edward Fok Webinar, RITA, US DOT, December 7, 2011 Cybersecurity Challenges: Protecting Your Transportation Management Centers, Edward Fok, ITE Journal, Feb. 2015

A - 7 HP Tippingpoint Hacktivist Survival Guide: Simplifying the Complex, Hewlett-Packard, 2013 Security for Critical Infrastructure SCADA Systems, A. Hildick-Smith, SANS Institute, 2005 “Understanding the Physical and Economic Consequences of Attacks Against Control Systems”, Y.Huang, A. A. Cárdenas, S. Amin, Z.Lin, H.Tsai, S. Sastry, International Journal of Critical Infrastructure Protection Vol 2, Issue 2, October 2009 Lessons Learned from Cybersecurity Assessments of SCADA Systems, National SCADA TestBed Program, Idaho National Laboratory, 2006 A Baseline Standard for Industrial Control Systems, ISA/IEC-62443 Cybersecurity for Industrial Control Systems, Macaulay, Tyson and Singer, Bryan,. CRC Press, 2012 National Institute of Standards and Emergency Technology (CERT), Source on Insider Threat and Prevention http://csrc.nist.gov/index.html Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security, Special Publication 800-82, NIST, September 2006 NIST National Vulnerability Database http://nvd.nist.gov NIST Special Publication 800-82, Guide to Industrial Control Systems Security, Revision 4, 2015 “Concerns About Intrusions into Remotely Accessible Substation Controllers and SCADA Systems”, P. Oman, E.O. Schweitzer III, D. Frincke, Paper #4, 27th Annual Western Protective Relay Conference, Spokane, WA, 2000 Top 10 -2013: The Ten Most Critical Web Application Security Risks, Open Web Application Security Project (OWASP), 2013 “SCADA HoneyNet Project: Building Honeypots for Industrial Networks”, V. Pothamsetty and M. Franz, SourceForge, 2008 “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies”, Rinaldi, et al., IEEE Control Systems Magazine, 2001 “Vulnerabilities in SCADA and Critical Infrastructure Systems”, R. J. Robles, M. Choi, E. Cho, S. Kim, G. Park, S. Yeo, International Journal of Future Generation Communication and Networking, Vol. 1, No. 1, 2008

A - 8 “SCADA System Vulnerabilities to Field-Based Cyber Attacks”, W. T. Shaw, Electric Energy, September-October, 2004 “Common Vulnerabilities in Critical Infrastructure Control Systems”, Stamp, Dillinger, Young, DePoy, Sandia National Laboratories, May 2003 “Assessment of the Vulnerabilities of SCADA, Control Systems and Critical Infrastructure Systems”, R. J. Robles, M. Choi, International Journal of Grid and Distributed Computing Vol.2, No.2, June 2009 Control System Devices: Architectures and Supply Channels Overview, Schwartz, M. D., J. Mulder, et al, Albuquerque, New Mexico, Sandia National Laboratories, 2010 “Cyberthreats, Vulnerabilities and Attacks on SCADA”, R. Tang, UC Berkeley, 2009 “Protecting Critical Infrastructure: SCADA Network Security Monitoring”, Tenable Network security whitepaper, August 1, 2008 Industrial Network Security, 2nd Edition, Teumim, David J., International Society of Automation, 2010 “GPS Vulnerabilities", K. Van Dyke, Presentation to the TRB Cyber Security Subcommittee, 2012 Protecting Industrial Control Systems from Electronic Threats, Weiss, J., Momentum Press, 2010 Vulnerability Databases and Threat Reports Source on Insider Threat and Prevention, National Institute of Standards and Emergency Technology, CERT http://csrc.nist.gov/index.html NIST National Vulnerability Database http://nvd.nist.gov Computer Emergency Response Team (CERT) http://www.cert.org/ Internet Storm Center http://isc.sans.org/ Fraudwatch International http://fraudwatchinternational.com CISCO 2014 Annual Security Report Mandiant Threat Report 2014

A - 9 Ponemon Institute Report 2014 Symantec Internet Security Threat Report: 2011, 2012 Trends Verizon 2012 and 2013 Data Breach Investigations Reports UK 2013 Information Security Breaches Survey, Price Waterhouse, 2013 Risk Assessment and Management Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, ANSI/ISA-62443-2-1 (99.02.01), 2009 American Public Transportation Association, Cybersecurity Considerations for Public Transportation, 2014 American Public Transportation Association, Recommended Practice: Securing Control and Communications Systems in Rail Transit Environment, Part 1: Elements, Organization and Risk Assessment/Management, July 2010. Enterprise Security for the Executive: Setting the Tone at the Top, Bayuk, Jennifer, Praeger, 2010 Cyber Security Policy Guidebook, Bayuk, J., J. Healy, et al. Wiley, Hoboken, NJ, 2012 Convergence of Enterprise Security Organizations, Booz Allen Hamilton, 2005 Cybersecurity Challenges: Protecting Your Transportation Management Centers, Edward Fok, ITE Journal, Feb. 2015 NCHRP Report 525 Vol. 14. Security 101: A Physical Security Primer for Transportation Agencies, Frazier, E. et. al. Transportation Research Board, 2009 Developing an ICS Cybersecurity Incident Response Plan, ICS-CERT Cybersecurity Evaluation Tool (CSET®), ICS-CERT Risk Management/CEO Recommended Practices, DHS US- CERT CEO Questions to Ask and Key Questions the Board Should Ask, DHS US-CERT Annual Survey, International Risk Management Institute COBIT 5 for Risk, Information System Audit and Control Association

A - 10 NERC CIP-002-3 Critical Cyber Asset Identification NIST Special Publication 800-100, Information Security Handbook: A Guide for Managers NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Revision 1, 2012 NIST Special Publication 800-39 Managing Information Security Risk Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, 2014 Guide to Developing a Cyber Security and Risk Mitigation Plan, National Rural Electric Cooperative Association, 2011 Leveraging Behavioral Science to Mitigate Cyber Security Risk, Shari Lawrence Pfleeger and Deanna D. Caputo, MITRE, 2012 Developing a Security-Awareness Culture –Improving Security Decision Making, SANS Institute, 2005 Control Systems Security Program, Sawin, D., Volpe Program Manager , Powerpoint Presentation given at DHS CSSP ICSJWG Conference, Seattle, Oct. 27, 2010 Electricity Subsector Cybersecurity Risk Management Process, U.S. Department of Energy, May 2012 Energy Sector Cybersecurity Framework Implementation Guidance, U.S. Department of Energy, 2015 Countermeasures NIST information Security Guides: There are over 300 NIST information security publications that includes Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Most commonly referenced NIST publications include: Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook is an overview of computer security and control areas that emphasizes the importance of the security controls and ways to implement them. Initially created for the federal government, most practices are applicable to the private sector. Special Publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes

A - 11 what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. Special Publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self-assessments as well as risk assessments. Special Publication 800-30 Risk Management Guide for Information Technology Systems Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems Special Publication 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations addresses the security controls that are applied to a system to make it "more secure". Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security Other NIST publications, listed by technical topics, include: Authentication, Authorization, and Access Control For Direct and Remote Connectivity NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008. NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007. NIST SP: 800-57 Recommendation for Key Management, March 2007, Part 1, General (Revised); Part 2, Best Practices; Part 3, Application Specific Key Management Guidance (Draft), October 2008 NIST SP 800-82 Rev 1, Guide to Industrial Control Systems (ICS) Security, May 13, 2013. Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003. Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007. Patch, Password, and Configuration Management NIST SP: 800-118, Guide to Enterprise Password Management (Draft) NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook. NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005. Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003. Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005. NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, 2015. NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Cyber Attacks, E. Amoroso, Elsevier, 2010

A - 12 Enterprise Information Security and Privacy, J. L. Bayuk, D. Schutzer, Artech House, January 2009 Critical Controls for Effective Cyber Defense, 20 Critical Security Controls - Version 4.1, COBIT, 2013 Critical Controls for Effective Cyber Defense, 20 Critical Security Controls - Version 4.1, Council on Cybersecurity, March 2013 Cybersecurity Challenges: Protecting Your Transportation Management Centers, Edward Fok, ITE Journal, Feb. 2015 ICS Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites, SANS Analyst Whitepaper, ICS CERT, 2014 Cybersecurity Best Practices, National Highway and Traffic Safety Agency (NHTSA), 2014 NCHRP Report 525 Vol. 14. Security 101: A Physical Security Primer for Transportation Agencies, Frazier, E. et. al. Transportation Research Board, 2009 21 Steps to Improve Cyber Security of SCADA Networks, U.S. Department of Energy, Infrastructure Security and Energy Restoration Committee, 2007 Cybersecurity Procurement Language for Control Systems, U.S. Department of Homeland Security and U.S. Department of Energy, 2009 Cybersecurity Procurement Language of Energy Delivery System, Energy Sector Cybersecurity Working Group, 2014 Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In- Depth Strategies, U.S. Department of Homeland Security, October 2009 BYOD Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing Bring Your Own Device, Digital Services Advisory Group and Federal Chief Information Officers Council, August 23, 2012 General IT Security Resources Federal Desktop Core Configuration http://fdcc.nist.gov Microsoft Technet http://technet.microsoft.com ISO/IEC 27000 Book: “Standard of Good Practice” Wireless Assets NIST SP800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

A - 13 Training Recommended Practice on Security Awareness Training for Transit Employees, APTA, 2012 A Role-Based Model for Federal Information Technology/Cybersecurity Training, NIST SP 800- 16, Revision 1 (Third Draft) October, 2014 Building an Information Technology Security Awareness and Training Program, NIST SP800- 50, October, 2003 2014 Cybersecurity Framework, Version 1.0, NIST, 2014 Information Security Training Requirements: A Role- and Performance-Based Model, NIST SP800-16 Revision 1, 1998 National Rural Electric Cooperative Association, Guide to Developing a Cybersecurity and Risk Mitigation Plan, 2011 NCHRP Report 685 Strategies to Attract and Retain a Capable Transportation Workforce, Transportation Research Board, 2011 NCHRP Report 693 Attracting, Recruiting and Retaining a Skilled Staff for Transportation Systems Operations and Management, Transportation Research Board, 2012 TCRP Report 162 Building a Sustainable Workforce in the Public Transportation Industry – A Systems Approach, Transportation Research Board, 2013 NCHRP Report 793, Incorporating Transportation Security Awareness into Routine State DOT Operations and Training , Transportation Research Board, 2014 NCHRP Synthesis Report 468 on Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance & Operations Field Personnel, Transportation Research Board, 2015 Transportation Roadmap, DHS, August, 2012 NIST SP 800-16 (1998) provides the IT security learning continuum model including 26 roles and role-based matrices and 46 training matrix cells, terms and concepts for IT security literacy, training content categories, and functional specialties. NIST SP 800-50 Building an Information Technology Security Awareness and Training Program (2003) describes the life cycle of a cybersecurity awareness and training program. The life cycle includes needs assessment and an implementation strategy, NIST SP 800-16 Appendices contain helpful information on function areas, knowledge and skills, and roles. Appendix A provides information on Function Areas including a general description of the area and the Learning Objectives for each function. Appendix B contains the

A - 14 Knowledge and Skills Catalog and Appendix C presents the roles matrix using generic roles and titles. Standards and Recommended Practices NIST The National Institutes of Standards and Technology (NIST) has the responsibility, along with the private sector, to develop a framework of baseline standards for cybersecurity of the nation’s critical infrastructure, derived from the Presidential Directive on Cyber Security. The NIST framework relies on existing standards, guidance, and best practices, drawing heavily from guidance developed by NIST for the Federal Information Security Management Act. Selected examples of the NIST/FIPS publications include: Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information System (March 2006) National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995. Elements of security, roles and responsibilities, common threats, security policy, program management. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. National Institute of Standards and Technology Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, April 1998. Learning-continuum model, security literacy and basics, role-based training. http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002. Risk management, assessment, mitigation. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, August 2009. Security control fundamentals, baselines by system-impact level, common controls, tailoring guidelines, catalog of controls in 18 families. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800- 53-rev2-final.pdf. National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008. Security objectives and types of potential losses, assignment of impact levels and system security category. http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1- Rev1.pdf. National Institute of Standards and Technology Special Publication 800-82 (Final Public Draft), Guide to Industrial Control Systems (ICS) Security, September 2008. Overview of industrial

A - 15 control systems (ICS), threats and vulnerabilities, risk factors, incident scenarios, security program development. http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006. Governance, awareness and training, capital planning, interconnecting systems, performance measures, security planning, contingency planning. http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf. National Institute of Standards and Technology Special Publication 800-122 (Draft), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), January 2009. Identifying, PII, impact levels, confidentiality safeguards, incident response. http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf. National Institute of Standards and Technology Special Publication 800-39(Final Public Draft), Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View, December 2010. http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf. The Roadmap to Secure Control Systems in the Transportation Sector (Transportation Roadmap), which describes a plan for voluntarily improving industrial control systems (ICSs) cybersecurity across all transportation modes: aviation, highway, maritime, pipeline, and surface transportation, summarized the currently existing cybersecurity standards for the various transportation modes. ISO and ISA The International Organization for Standardization (ISO), the Information Systems Audit (ISA) and the Control Association (ISACA) Control Objectives for Information and related Technology (COBIT) have developed standards that provide the industry with best practices. ISO/IEC have developed a series of standards “use by those responsible for initiating, implementing or maintaining information security management systems.” o ISO/IEC 27001: Information Security Management o ISO/IEC 27002: Information Technology. Security techniques. Code of practice for information security management o ISO/IEC 27035: Security Incident Management o ISO/IEC 27017 [Not yet released]: Cloud Security o ISO/IEC 22301: Business Continuity Management, published in May 2012, is the international standard for business continuity management ISA/IEC-62443 (formerly ISA-99) is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. The chart below provides an overview of the relevant ISA/IEC- 62443 standards.

A - 16 NERC CIP North American Electric Reliability Council (NERC), have developed Critical Infrastructure Protection (CIP) Standards available at http://www.nerc.com/page.php?cid=2|20: o CIP-002-3, Critical Cyber Asset Identification o CIP-003-3, Security Management Controls o CIP-004-3, Personnel and Training o CIP-005-3, Electronic Security Perimeter(s) o CIP-006-3, Physical Security of Critical Cyber Assets o CIP-007-3, Systems Security Management o CIP-008-3, Incident Reporting and Response Handling o CIP-009-3, Recovery Plans f or Critical Cyber Assets o “Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment,” 1.0. http://www.esisac.com/publicdocs/Guides/V1- VulnerabilityAssessment.pdf The CIP standards are also included in the collected Reliability Standards for the Bulk Electric Systems of North America, June 2010, http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf.

A - 17 US CERT A more in-depth description of typical ICSs and their vulnerabilities and currently available general security enhancements can be found on the United States Computer Emergency Readiness Team (USCERT) Control System website at the following URL: http://www.uscert.gov/control_systems/csvuls.html, and in the National Institute of Standards and Technology (NIST) Special Publication 800-82, “Guide to Industrial Control Systems (ICS) Security, Recommendations of the National Institute of Standards and Technology.” APTA APTA’s cybersecurity initiatives focus on transit systems and are carried out through the following Working Groups:  The Enterprise Cybersecurity Working Group  The Control & Communications Security Working Group (CCSWG) APTA (through the CCSWG) has produced two of three Recommended Practices on Securing Control and Communications Systems in Rail Transit Environments. The CCSWG uses standards from the North American Electric Reliability Corporation Critical Infrastructure Protection program (NERC-CIP), NIST, ISA, and the IEEE to develop these Recommended Practices which are as follows:  Part 1 - Elements, Organization, and Risk Assessment/Management was released in July, 2010. Part I focuses on the importance of control and communications security to a transit agency, describes systems that comprise a typical transit control and communication systems, identifies the steps required for a successful program, and introduces risk assessment.  Part 2 - Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones was released in June, 2013. This Part describes “Defense-in-Depth” for rail communications and control systems security, defines security zone classifications, and a minimum set of security controls for the most critical zones, the safety-critical security zone (SCSZ) and the fire, life-safety security zone (FLSZ). The recommendations apply to new rail projects or major upgrades, not the retrofitting of legacy systems.  Part 3 will continue to address security zones and introduce attack modelling for rail transit. o Subpart 3a will present the APTA Attack Modeling Security Analysis for Transit Agencies and their Systems Integrators and Vendors. The Attack Tree Analysis Scope, Attack Modeling Process, and a Case Study of the Process will be included. The expected publication date of this Subpart is January, 2015. o Subpart 3b will cover the Operationally Critical Security Zone (OCSZ), in the same manner as how Part 2 addressed the Safety Critical Security Zone (SCSZ) and the Fire, Life Safety Security Zone (FLSZ); the development of this Subpart will occur in 2015. o Subpart 3c will address the application of the three security zones to rail transit vehicles.

A - 18 Wireless Communications Wireless communications and wireless security standards include the following:  IEEE 802.15.4 building automation and control systems  IEEE 802.11 WLAN or Wi-Fi  IEEE 802.16 WiMax for long-distance broadband  Bluetooth, proprietary 900 MHz or 2.4 GHz (license-free spread spectrum), fixed- frequency radios (100 to 800 MHz, typically licensed), and cellular GSM/GPRS-based communications.  IEEE 1474.3-2008 IEEE Recommended Practice for Communications-Based Train Control (CBTC) System Design and Functional Allocations

B - 19 Acronyms NIST Interagency Report 7581 System And Network Security Acronyms and Abbreviations, September 2009, contains a list of acronyms and abbreviations with their generally accepted or preferred definitions. ACL Access Control List ARP Address Resolution Protocol AASHTO American Association of State Highway and Transportation Officials BCP Business Continuity Plan CIP Critical Infrastructure Protection CMVP Cryptographic Module Validation Program COTS Commercial Off-the-Shelf CPNI Centre for the Protection of National Infrastructure CPU Central Processing Unit CSE Communications Security Establishment CSRC Computer Security Resource Center CSSC Control System Security Center CVE Common Vulnerabilities and Exposures DCOM Distributed Component Object Model DCS Distributed Control System(s) DHS Department of Homeland Security DMZ Demilitarized Zone DNP3 DNP3 Distributed Network Protocol (published as IEEE 1815) DNS Domain Name System DOE Department of Energy DoS Denial of Service DRP Disaster Recovery Plan EAP Extensible Authentication Protocol EMS Energy Management System EPRI Electric Power Research Institute ERP Enterprise Resource Planning FIPS Federal Information Processing Standards FISMA Federal Information Security Modernization Act FTP File Transfer Protocol GPS Global Positioning System HMI Human-Machine Interface HSPD Homeland Security Presidential Directive HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure HVAC Heating, Ventilation, and Air Conditioning I/O Input/Output I3P Institute for Information Infrastructure Protection IACS Industrial Automation and Control System

B - 20 IAONA Industrial Automation Open Networking Association ICCP Inter-control Center Communications Protocol ICMP Internet Control Message Protocol ICS Industrial Control System(s) ICS-CERT Industrial Control Systems - Cyber Emergency Response Team IDS Intrusion Detection System IEC International Electrotechnical Commission IED Intelligent Electronic Device IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol INL Idaho National Laboratory IP Internet Protocol IPS Intrusion Prevention System IPsec Internet Protocol Security ISA International Society of Automation ISID Industrial Security Incident Database ISO International Organization for Standardization IT Information Technology ITE Institute of Electrical Engineers ITL Information Technology Laboratory ITS Intelligent Transportation Systems LAN Local Area Network M2M Machine to Machine MAC Media Access Control MES Manufacturing Execution System MIB Management Information Base MTU Master Terminal Unit (also Master Telemetry Unit) NAT Network Address Translation NCCIC National Cybersecurity and Communications Integration Center NCSD National Cyber Security Division NEMA Formerly the National Electrical Manufacturers Association; now The Association of Electrical Equipment and Medical Imaging Manufacturers NERC North American Electric Reliability Council NFS Network File System NIC Network Interface Card NISCC National Infrastructure Security Coordination Centre NIST National Institute of Standards and Technology NSTB National SCADA Testbed NTCIP National Transportation Communications for ITS Protocol OLE Object Linking and Embedding OMB Office of Management and Budget OPC OLE for Process Control OS Operating System OSI Open Systems Interconnection PCII Protected Critical Infrastructure Information

B - 21 PDA Personal Digital Assistant PIN Personal Identification Number PID Proportional – Integral - Derivative PIV Personal Identity Verification PLC Programmable Logic Controller PP Protection Profile PPP Point-to-Point Protocol R&D Research and Development RADIUS Remote Authentication Dial In User Service RBAC Role-Based Access Control RFC Request for Comments RMA Reliability, Maintainability, and Availability RMF Risk Management Framework RPC Remote Procedure Call RPO Recovery Point Objective RTO Recovery Time Objective RTU Remote Terminal Unit (also Remote Telemetry Unit) SC Security Category SCADA Supervisory Control and Data Acquisition SCP Secure Copy SFTP Secure File Transfer Protocol SIS Safety Instrumented System SMTP Simple Mail Transfer Protocol SNL Sandia National Laboratories SNMP Simple Network Management Protocol SP Special Publication SPP-ICS System Protection Profile for Industrial Control Systems SQL Structured Query Language SSH Secure Shell SSID Service Set Identifier SSL Secure Sockets Layer TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TFTP Trivial File Transfer Protocol TLS Transport Layer Security UDP User Datagram Protocol UPS Uninterruptible Power Supply US-CERT United States Computer Emergency Readiness Team USB Universal Serial Bus VFD Variable Frequency Drive VLAN Virtual Local Area Network VPN Virtual Private Network WAN Wide Area Network XML Extensible Markup Language

C - 22 Glossary There are a number of glossaries published with definitions of cybersecurity related terms. The National Institute of Science and Technology (NIST) has compiled a GLOSSARY OF KEY INFORMATION SECURITY TERMS (NISTIR 7298, Revision 2, May 2013). DHS National Cyber Security Division (NCSD) has compiled a glossary. The National Institute of Cybersecurity Careers and Studies (NICCS), managed by the Cybersecurity Education and Awareness Branch (CEA) within the Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications (CS&C), has developed an cybersecurity lexicon intended to complement the NIST Glossary that is located online at http://niccs.us-cert.gov/glossary. A Access The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. (CNSSI 4009) Access control The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities. (CNSSI 4009) Access control mechanism Security measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility. (Adapted from CNSSI 4009) Active attack An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations. (Adapted from IETF RFC 4949, NIST SP 800-63 Rev 1) Active content Software that is able to automatically carry out or trigger actions without the explicit intervention of a user. (Adapted from CNSSI 4009) Advanced Persistent Threat (APT) An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). The intention of an APT may be to steal data, or to cause damage to the network or organization, or to plant attack capabilities for future activation. Stuxnet is an example of an ATP. ( NIST SP 800-

C - 23 53 Rev 4) Air gap To physically separate or isolate a system from other systems or networks (verb). The physical separation or isolation of a system from other systems or networks (noun). Antispyware software A program that specializes in detecting and blocking or removing forms of spyware. (Adapted from NCSD Glossary) Antivirus software A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing the malicious code. (Adapted from NCSD Glossary) Attack or cyber attack An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. The intentional act of attempting to bypass one or more security services or controls of an information system. (NCSD Glossary. NTSSI 4009 (2000), CNSSI 4009) Attack method or attack mode The manner or technique and means an adversary may use in an assault on information or an information system.(Adapted from DHS Risk Lexicon, NCSD Glossary) Attack path The steps that an adversary takes or may take to plan, prepare for, and execute an attack. (Adapted from DHS Risk Lexicon, NCSD Glossary) Attack pattern Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation. For software, descriptions of common methods for exploiting software systems. (Adapted from Oak Ridge National Laboratory Visualization Techniques for Computer Network Defense, MITRE's CAPEC web site) Attack signature A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks. An automated set of rules for identifying a potential threat (such as an exploit or the presence of an attacker tool) and possible responses to that threat. (Adapted from NCSD Glossary, CNSSI 4009, ISSG V1.2 Database) Attack surface The set of ways in which an adversary can enter a system and potentially cause damage. An information system's characteristics that permit an

C - 24 adversary to probe, attack, or maintain presence in the information system. Authentication The process of verifying the identity or other attributes of an entity (user, process, or device). Also the process of verifying the source and integrity of data. A simple and common authentication procedure is a password. “Two-factor” authentication is the use of two independent forms of authentication, such as a password, a fingerprint, or a series of digits generated by a secure identification token, a small handheld device. (Adapted from CNSSI 4009, NIST SP 800-21, NISTIR 7298) Authenticity A property achieved through cryptographic methods of being genuine and being able to be verified and trusted, resulting in confidence in the validity of a transmission, information or a message, or sender of information or a message. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4) Authorization A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. The process or act of granting access privileges or the access privileges as granted. (OASIS SAML Glossary 2.0; Adapted from CNSSI 4009) Availability The property of being accessible and usable upon demand. In cybersecurity, applies to assets such as information or information systems. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4, 44 U.S.C., Sec 3542) B Backdoor An undocumented way of gaining access to a computer system. A backdoor is a potential security risk. Batch Process A process that leads to the production of finite quantities of material by subjecting quantities of input materials to an ordered set of processing activities over a finite time using one or more pieces of equipment. (ANSI/ISA-88.01-1995) Behavior monitoring Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends. Blacklist A list of entities that are blocked or denied privileges or access.

C - 25 Bot A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator. A member of a larger collection of compromised computers known as a botnet. Bot master or bot herder The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet. Botnet A network of computers that have been penetrated, compromised, and programmed to operate on the commands of an unauthorized remote user, usually without the knowledge of their owners or operators. The network of “robot” computers can then be manipulated by the remote actor to commit attacks on other systems. The computers on botnets are frequently referred to as “zombies” and are often employed in digital denial of service attacks. Broadcast Transmission to all devices in a network without any acknowledgment by the receivers. (IEC/PAS 62410) Buffer Overflow A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. (NIST SP 800-28) Bug An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device. (NCSD Glossary) Build Security In A set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilities, flaws, and attacks. (Adapted from Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program (2011), US-CERT's Build Security In website) C Cloud computing A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (Adapted from CNSSI 4009, NIST SP 800-145) Communications Router A communications device that transfers messages between two

C - 26 networks. Common uses for routers include connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication. Computer network defense The actions taken to defend against unauthorized activity within computer networks. (CNSSI 4009) Confidentiality A property that information is not disclosed to users, processes, or devices unless they have been authorized to access the information. Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4, 44 U.S.C., Sec 3542) Configuration (of a system or device) Step in system design; for example, selecting functional units, assigning their locations, and defining their interconnections. (IEC/PAS 62409) Configuration Control Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation. (CNSSI 4009) Continuous Monitoring A continuous monitoring program is a process designed to regularly assess information systems to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time, as changes in the system occur. Continuous monitoring transforms the traditional model of static, sporadic security compliance assessments to dynamic, near-real-time situational awareness. Consequence The effect of an event, incident, or occurrence. Extended Definition: In cybersecurity, the effect of a loss of confidentiality, integrity or availability of information or an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests. (Adapted from DHS Risk Lexicon, National Infrastructure Protection Plan, NIST SP 800-53 Rev 4) Continuity of Operations Plan A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential disruption. (Adapted from CPG 101, CNSSI 4009) Control The part of the ICS used to perform the monitoring and control of the physical process. This includes all control servers, field

C - 27 devices, actuators, sensors, and their supporting communication systems. Control Center An equipment structure or group of structures from which a process is measured, controlled, and/or monitored. (ANSI/ISA- 51.1-1979) Control Loop A control loop consists of sensors for measurement, controller hardware such as PLCs, actuators such as control valves, breakers, switches and motors, and the communication of variables. Controlled variables are transmitted to the controller from the sensors. The controller interprets the signals and generates corresponding manipulated variables, based on set points, which it transmits to the actuators. Process changes from disturbances result in new sensor signals, identifying the state of the process, to again be transmitted to the controller. Control Network Those networks of an enterprise typically connected to equipment that controls physical processes and that is time or safety critical. The control network can be subdivided into zones, and there can be multiple separate control networks within one enterprise and site. (ISA99) Control Server A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs), over an ICS network. In a SCADA system, this is often called a SCADA server, MTU, or supervisory controller. Control System A system in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. Control systems include SCADA, DCS, PLCs and other types of industrial measurement and control systems. Controlled Variable The variable that the control system attempts to keep at the set point value. The set point may be constant or variable. (The Automation, Systems, and Instrumentation Dictionary) Controller A device or program that operates automatically to regulate a controlled variable. (ANSI/ISA-51.1-1979) Critical infrastructure The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.(Adapted from: National Infrastructure Protection Plan)

C - 28

C - 29 Cybercrime Criminal activity conducted using computers and the Internet, often financially motivated. Cybercrime includes identity theft, fraud, and internet scams, among other activities. Cybercrime is distinguished from other forms of malicious cyber activity, which have political, military, or espionage motivations. Cyber exercise A planned event during which an organization simulates a cyber-disruption to develop or test capabilities such as preventing, detecting, mitigating, responding to or recovering from the disruption. (Adapted from NCSD Glossary, DHS Homeland Security Exercise and Evaluation Program) Cyber incident Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. (NIST Glossary) Cyber infrastructure An electronic information and communications systems and services and the information contained therein. The information and communications systems and services composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. (Adapted from NIPP) Cybersecurity The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009)

C - 30 Cyberspace The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (Adapted from NSPD 54/HSPD -23, CNSSI 4009, NIST SP 800-53 Rev 4) D Data aggregation The process of gathering and combining data from different sources, so that the combined data reveals new information. The new information is more sensitive than the individual data elements themselves and the person who aggregates the data was not granted access to the totality of the information.(Adapted from CNSSI 4009) Data breach or data leakage data breach or data leakage The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information. Data Diode A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction. Data integrity The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner. (Adapted from CNSSI 4009, NIST SP 800- 27) Data loss The result of unintentionally or accidentally deleting data, forgetting where it is stored, or exposure to an unauthorized party. Demilitarized Zone (DMZ) An interface on a routing firewall that is similar to the interfaces found on the firewall’s protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied.(SP 800-41) A host or network segment inserted as a “neutral zone” between an organization’s private network and the Internet. (SP 800-45) Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted

C - 31 sources with restricted access to releasable information while shielding the internal networks from outside attacks.(CNSSI- 4009) Denial of service An attack that prevents or impairs the authorized use of information system resources or services. A distributed denial of service is a denial of service technique that uses numerous systems to perform the attack simultaneously. (Adapted from NCSD Glossary) Digital or computer forensics The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes. (Adapted fromCNSSI 4009) Digital Denial of Service (DDOS) A cyber war technique in which an Internet site, a server, or a router is flooded with more requests for data than the site or device can respond to or process. Consequently, legitimate traffic cannot access the site and the site is in effect shut down. Botnets are used to conduct such attacks, thus distributing the attack over thousands of originating computers acting in unison. Digital signature A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data. (Adapted from CNSSI 4009, IETF RFC 2828, ICAM SAML 2.0 WB SSO Profile 1.0.2, InCommon Glossary, NIST SP 800-63 Rev 1) Disruption An event which causes unplanned interruption in operations or functions for an unacceptable length of time. (Adapted from CNSSI 4009) E Encryption The scrambling of information so that it is unreadable to those who do not have the code to unscramble it. Enterprise risk management A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives. Involves identifying mission dependencies on enterprise capabilities, identifying and prioritizing risks due to defined threats, implementing countermeasures to provide both a static

C - 32 risk posture and an effective dynamic response to active threats; and assessing enterprise performance against threats and adjusts countermeasures as necessary. (Adapted from: DHS Risk Lexicon, CNSSI 4009) Event An observable occurrence in an information system or network. Sometimes provides an indication that an incident is occurring or at least raise the suspicion that an incident may be occurring. (Adapted fromCNSSI 4009) Exfiltration The unauthorized transfer of information from an information system. (NIST SP 800-53 Rev 4) Exploit A technique to breach the security of a network or information system in violation of security policy. (Adapted from ISO/IEC 27039 (draft)) Exposure The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network. (Adapted from NCSD glossary) F Failure The inability of a system or component to perform its required functions within specified performance requirements. (NCSD Glossary) Firewall A capability to limit network traffic between networks and/or information systems. A hardware/software device or a software program that limits network traffic according to a set of rules of what access is and is not allowed or authorized. (Adapted from CNSSI 4009) H Hack A verb meaning to gain unauthorized access into a computer system. Hacker An unauthorized user who attempts to or gains access to an information system. (CNSSI 4009)

C - 33 Hacktivism The exploitation of computers and computer networks as a means of protest to promote political ends. The anti-secrecy group Anonymous is an example of a hacktivist organization. I Identity and access management The methods and processes used to manage subjects and their authentication and authorizations to access specific objects. Incident An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences. An occurrence that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (Adapted from CNSSI 4009, FIPS 200, NIST SP 800- 53 Rev 4, ISSG) Incident management The management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences to information or information systems. (Adapted from NCSD Glossary, ISSG NCPS Target Architecture Glossary) Incident response plan A set of predetermined and documented procedures to detect and respond to a cyber incident. (Adapted from CNSSI 4009) Indicator An occurrence or sign that an incident may have occurred or may be in progress. (Adapted from CNSSI 4009, NIST SP 800- 61 Rev 2 (DRAFT), ISSG V1.2 Database) Industrial Control System computer-based facilities, systems, and equipment used to remotely monitor and/or control critical/sensitive processes and physical functions. These systems collect measurement and operational data from field locations, process and display this information, and, in some systems, relay control commands to local or remote equipment or to human-machines interfaces (operators). (Transportation Industrial Control Systems Cybersecurity Standards Strategy, DHS, 2012) An information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets. (Adapted from

C - 34 NIST SP 800-53 Rev 4, NIST SP 800-82) Information assurance The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality. (Adapted from CNSSI 4009) Information sharing An exchange of data, information, and/or knowledge to manage risks or respond to incidents. (Adapted from NCSD glossary) Information system resilience The ability of an information system to: (1) continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (2) recover effectively in a timely manner. (Adapted from NIST SP 800-53 Rev 4) Information technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. . . . The term information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware, and similar procedures, services (including support services), and related resources. (40 USC, Sec 11101) Any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information. (Adapted from CNSSI 4009, NIST SP 800-53 rev. 4, based on 40 U.S.C. sec. 1401) Inside(r) threat A person or group of persons within an organization who pose a potential risk through violating security policies. One or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity's security, systems, services, products, or facilities with the intent to cause harm. (Adapted from: CNSSI 4009; From NIAC Final Report and Recommendations on the Insider Threat to Critical Infrastructure, 2008)

C - 35 Integrated risk management The structured approach that enables an enterprise or organization to share risk information and analysis and to synchronize independent yet complementary risk management strategies to unify efforts across the enterprise. (Adapted from DHS Risk Lexicon) Integrity The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4, 44 U.S.C., Sec 3542, SANS; From SAFE-BioPharma Certificate Policy 2.5) Intent A state of mind or desire to achieve an objective. (Adapted from DHS Risk Lexicon) Interoperability The ability of two or more systems or components to exchange information and to use the information that has been exchanged. (Adapted from IEEE Standard Computer Dictionary, DHS personnel) Intrusion An unauthorized act of bypassing the security mechanisms of a network or information system. (Adapted from CNSSI 4009) Intrusion detection The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred. (Adapted from: CNSSI 4009, ISO/IEC 27039 (draft)) K Key The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.(CNSSI 4009) Key pair A public key and its corresponding private key. Two mathematically related keys having the property that one key can be used to encrypt a message that can only be decrypted using the other key. (Adapted from CNSSI 4009, Federal Bridge Certificate Authority Certification Policy 2.25) Keylogger or keystroke logger Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / secretly, to monitor actions by

C - 36 the user of an information system. Cybercriminals install them on computers to clandestinely record the computer user's passwords and other confidential information. L Logic bomb A software application or series of instructions that cause a system or network to shut down and/or to erase all data or software on the network. A logic bomb is a type of malware. M Macro virus A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself. (Adapted from CNSSI 4009) Malicious applet A small application program that is automatically downloaded and executed and that performs an unauthorized function on an information system. (CNSSI 4009) Malicious code Program code intended to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system. Includes software, firmware, and scripts. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4) Malicious logic Hardware, firmware, or software that is intentionally included or inserted in a system to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system. (Adapted from CNSSI 4009) Malware Software that compromises the operation of a system by performing an unauthorized function or process. (Adapted from CNSSI 4009, NIST SP 800-83) Mitigation The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences. Implementing appropriate risk-reduction controls based on risk management priorities and analysis of alternatives. (Adapted from DHS Risk Lexicon, CNSSI 4009, NIST SP 80)

C - 37 N Network resilience The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); (2) recover effectively if failure does occur; and (3) scale to meet rapid or unpredictable demands. (Adapted from CNSSI 4009) Network Services Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. Non-repudiation A property achieved through cryptographic methods to protect against an individual or entity falsely denying having performed a particular action related to data. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. (Adapted from CNSSI 4009; From: NIST SP 800-53 Rev 4) O Object A passive information system-related entity containing or receiving information. (Adapted from CNSSI 4009, NIST SP 800- 53 Rev 4) Outside(r) threat A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets. (Adapted from CNSSI 4009) P Passive attack An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations. (Adapted from IETF RFC 4949, NIST SP 800-63 Rev 1)

C - 38 Password A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization. (FIPS 140-2) Pen test or penetration testing An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system. (Adapted from NCSD Glossary, CNSSI 4009, NIST SP 800-53 Rev 4) Personal Identifying Information / Personally Identifiable Information The information that permits the identity of an individual to be directly or indirectly inferred. (Adapted from NCSD Glossary, CNSSI 4009, GAO Report 08- 356, as cited in NIST SP 800-63 Rev 1) Pharming A technique used by hackers to redirect users to false websites without their knowledge. Phishing A digital form of social engineering to deceive individuals into providing sensitive information such as usernames, passwords, social security numbers and credit card details. Common phishing tactics include posing as a known contact, a legitimate company, or an otherwise trusted entity in an electronic communication. (Adapted from NCSD Glossary, CNSSI 4009, NIST SP 800-63 Rev 1) Plaintext Unencrypted information.(CNSSI 4009) Precursor An observable occurrence or sign that an attacker may be preparing to cause an incident. (Adapted from CNSSI 4009, NIST SP 800-61 Rev 2 (DRAFT)) Privacy The assurance that the confidentiality of, and access to, certain information about an entity is protected. The ability of individuals to understand and exercise control over how information about themselves may be used by others. (NIST SP 800-130) Private key A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm. The secret part of an asymmetric key pair that is uniquely associated with an entity. (Adapted from CNSSI 4009, NIST SP 800-63 Rev 1, FIPS 201-2, FIPS 140-2, Federal Bridge Certificate Authority Certification Policy 2.25) Public Key Infrastructure A framework consisting of standards and services to enable secure, encrypted communication and authentication over potentially insecure networks such as the Internet. A framework and services

C - 39 for generating, producing, distributing, controlling, accounting for, and revoking (destroying) public key certificates. (Adapted from CNSSI 4009, IETF RFC 2828, Federal Bridge Certificate Authority Cross-certification Methodology 3.0, InCommon Glossary, Kantara Identity Assurance Framework 1100, NIST SP 800-63 Rev 1) R Recovery The activities after an incident or event to restore essential services and operations in the short and medium term and fully restore all capabilities in the longer term. (Adapted from NIPP) Redundancy Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process. (DHS Risk Lexicon) Response The activities that address the short-term, direct effects of an incident and may also support short-term recovery. In cybersecurity, response encompasses both automated and manual activities. (Adapted from National Infrastructure Protection Plan, NCPS Target Architecture Glossary) Risk The potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as determined by the likelihood that a particular threat will exploit a particular vulnerability, with the associated consequences. (Adapted from: DHS Risk Lexicon, NIPP and adapted from CNSSI 4009, FIPS 200, NIST SP 800-53 Rev 4, SAFE-BioPharma Certificate Policy 2.5) Risk assessment The product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making. The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences. (Adapted from DHS Risk Lexicon, CNSSI 4009, NIST SP 800-53 Rev 4) Risk-based data management A structured approach to managing risks to data and information by which an organization selects and applies appropriate security controls in compliance with policy and commensurate with the sensitivity and value of the data. Rootkit A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal

C - 40 the activities conducted by the tools. (Adapted from CNSSI 4009) S Security policy A rule or set of rules that govern the acceptable use of an organization's information and services to a level of acceptable risk and the means for protecting the organization's information assets. A rule or set of rules applied to an information system to provide security services.(Adapted from CNSSI 4009, NIST SP 800-53 Rev 4, NIST SP 800-130, OASIS SAML Glossary 2.0) Situational awareness Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience. In cybersecurity, comprehending the current status and security posture with respect to availability, confidentiality, and integrity of networks, systems, users, and data, as well as projecting future states of these. (Adapted from CNSSI 4009, DHS personnel, National Response Framework) Software assurance The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. (CNSSI 4009) Spam The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. (Adapted from CNSSI 4009) Spoofing Faking the sending address of a transmission to gain illegal [unauthorized] entry into a secure system. The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing. (CNSSI 4009) Spyware Software that is secretly or surreptitiously installed into an information system without the knowledge of the system user or owner. (Adapted from CNSSI 4009, NIST SP 800-53 Rev 4) Supervisory Control and Data Acquisition (SCADA) A generic name for a computerized system that is capable of gathering and processing data and applying operational controls to geographically dispersed assets over long distances. (Adapted from NCSD Glossary, CNSSI 4009)

C - 41 System integrity The attribute of an information system when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. (CNSSI 4009) T Threat A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society. Includes an individual or group of individuals, entity such as an organization or a nation), action, or occurrence. (Adapted from DHS Risk Lexicon, NIPP, CNSSI 4009, NIST SP 800-53 Rev 4) Threat actor or threat agent An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. (Adapted from DHS Risk Lexicon) Threat analysis The detailed evaluation of the characteristics of individual threats. Threat assessment The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property. (From DHS Risk Lexicon and adapted from CNSSI 4009, NIST SP 800-53, Rev 4) Traffic light protocol A set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience. (Adapted from US-CERT) Transportation infrastructure Travel ways (e.g., pavements or fixed guideways such as rails), structures (e.g., bridges, tunnels, plazas and buildings), fixtures and appurtenances (e.g., signals, signs, sensors, gates, controllers and computers) and rolling stock (e.g., transit vehicles and support service vehicles). Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. (CNSSI 4009)

C - 42 U Unauthorized access Any access that violates the stated security policy. (CNSSI 4009) V Virus A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer. (Adapted from CNSSI 4009) Vulnerability A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard. Characteristic of location or security posture or of design, security procedures, internal controls, or the implementation of any of these that permit a threat or hazard to occur. (Adapted from DHS Risk Lexicon, CNSSI 4009, NIST SP 800-53 Rev 4) Vulnerability Assessment and Management In cybersecurity work where a person conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. W Weakness A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities. (Adapted from ITU-T X.1520 CWE, FY 2013 CIO FISMA Reporting Metrics) Whitelist A list of entities that are considered trustworthy and are granted access or privileges.

C - 43 Work factor An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure. (Adapted from CNSSI 4009) Worm A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. (CNSSI 4009) Z Zero-day Attack A cyberattack that uses previously unknown coding (malware, etc.) or exploits a previously unknown security vulnerability. This type of attack is particularly dangerous because existing patches, anti-virus software, and other defenses are not programmed to defend against it. It is called a zero-day attack, because it occurs on “day zero” of learning of the vulnerability. Zombie Computers on botnets are frequently referred to as “zombies” and are often employed in digital denial of service attacks.

Protection of Transportation Infrastructure from Cyber Attacks: A Primer Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB's Protection of Transportation Infrastructure from Cyber Attacks: A Primer provides transportation organizations with reference materials concerning cybersecurity concepts, guidelines, definitions, and standards. The primer is a joint product of two TRB Cooperative Research Programs, and is categorized as Transit Cooperative Research Program (TCRP) Web-Only Document 67 and National Cooperative Highway Research Program (NCHRP) Web-Only Document 221.

The Primer delivers strategic, management, and planning information associated with cybersecurity and its applicability to transit and state DOT operations. It includes definitions and rationales that describe the principles and practices that enable effective cybersecurity risk management. The primer provides transportation managers and employees with greater context and information regarding the principles of information technology and operations systems security planning and procedures.

The report is supplemented with an Executive Briefing for use as a 20-minute presentation to senior executives on security practices for transit and DOT cyber and industrial control systems. A PowerPoint summary of the project is also available.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!