Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
118 Chapter 7 Security Programs and Support Frameworks To assist in the protection of transportation infrastructure, the federal government has issued a number of legislative initiatives, presidential orders, and federal department mandates, regulations, and guidelines. This chapter identifies components of the federal governmentâs infrastructure protection and cybersecurity strategies that relate to the transportation sector. Through understanding these initiative and activities, transportation agencies can obtain a sense of the national strategies and supportive frameworks available to help them in reducing cybersecurity risks. Cybersecurity and Critical Infrastructure The USA Patriot Act of 2001 (P.L.107-56) established the federal definition of âcriticalâ infrastructure still in use today: Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters (Sec. 1016(e)). The National Strategy To Secure Cyberspace, issued in early 2003, outlined priorities for protecting against cyber threats and the damage these threats can cause. The Strategy called for DHS and the Department of Energy (DOE) to work with industry to ... develop best practices and new technology to increase security of digital control systems/SCADA systems, to determine the most critical digital control systems/SCADA- related sites, and to develop a prioritized plan for short-term cybersecurity improvements in those sites. Presidential Policy Directive 8: National Preparedness, issued in 2011, to strengthen security and resilience through five preparedness mission areasâPrevention, Protection, Mitigation, Response, and Recovery â includes cyber in its national preparedness goals. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments. The National Infrastructure Protection Plan (NIPP) and its complementary Sector- Specific Plans (SSP), which provide a unifying structure for integrating current and future CI/KR protection efforts, recognizes that the U.S. economy and national security are highly dependent upon the cyber infrastructure. The NIPP 2013 evolves the concepts introduced in the initial 2006 version that was then revised in 2009. The 2013 National Plan provides the foundation for an integrated and collaborative approach to achieve the vision of: "[a] Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.
119 Executive Order 13636 (EO) Improving Critical Infrastructure Cybersecurity, issued in February 2013, calls for the development of a voluntary Cybersecurity Framework that provides a âprioritized, flexible, repeatable, performance-based, and cost-effective approachâ for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk. NIST released a Cybersecurity Framework, as called for in Executive Order 13636, in February 2014. The Framework, developed to assist organizations in managing their cybersecurity risk, is technology neutral and relies on existing standards, guidance, and best practice to provide⦠a common language for describing current and target states of security, identifying and prioritizing changes needed, assessing progress and fostering communications with stakeholders. It is meant to complement, not replace, existing cybersecurity programs. The Framework is designed to provide a common taxonomy and mechanism for organizations to: ⢠Describe their current cybersecurity posture; ⢠Describe their target state for cybersecurity; ⢠Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; ⢠Assess progress toward the target state; ⢠Communicate among internal and external stakeholders about cybersecurity risk. Control System Cybersecurity Strategy and Roadmaps In 2004, Department of Homeland Securityâs National Cybersecurity Division (NCSD) established the Control Systems Security Program (CSSP), which was chartered to work with control systems security stakeholders through awareness and outreach programs that encourage and support coordinated control systems security enhancement efforts. In 2008, the CSSP established the Industrial Control Systems Joint Working Group (ICSJWG) as a coordination body to facilitate the collaboration of control system stakeholders and to encourage the design, development and deployment of enhanced security for control systems. Leveraging the efforts of individual sectors such as Energy, Water, and Chemical developing roadmaps to secure their industrial control systems, the DHS National Cybersecurity Division (NCSD), with volunteers from the Industrial Control Systems Joint Working Group (ICSJWG) and industry stakeholder organizations, developed a Cross-Sector Roadmap to Secure Control Systems to coordinate the efforts across multiple sectors and help develop programs and risk mitigation measures that align with the sectorâs plan while maintaining a cross sector perspective. Issued in 2011, the Roadmap provided a plan for voluntarily improving cybersecurity across all critical infrastructure/key resources (CIKRâs) that employ industrial control systems. Recognizing the widespread use of control systems in transportation and the economic and social impacts of a transportation cyber-event, the Department of Homeland Security (DHS)
120 also issued The Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy in 2012. The DHS recommended standardizing transportation ICS cybersecurity practices because âcontrol systems cybersecurity is a fledgling concern in the transportation sector, and preliminary research has illustrated that while some modes have developed relevant standards, most of them have failed to address ICS cybersecurityâ. The DHS Standards Strategy summarized the state of cybersecurity by transportation mode, identified short and long-term goals to address gaps in ICS cybersecurity standards, and outlined the estimated cost, timeline, and deliverables associated with meeting those goals. According to the DHS Standards Strategy summary of the transportation modes ICS standardization activities: ⢠Aviation has made great strides in securing CS for aircraft; however, cybersecurity standards have not addressed CS in airports. Airworthiness Security Methods and Considerations and Airworthiness Security Process Specification were published in 2010. Neither document is publicly available. ⢠Maritime currently has no standards to address control systems located in ports, terminals, and onboard vessels. The USCG Cyber Command (USCG-CC) recognized the need for sound cybersecurity policy, and created the Command, Control, Communication, Computers, and Information Technology (C4&IT) Strategic Plan. ⢠Transit is currently developing ICS cybersecurity standards through APTA. The freight rail industry does not have a corresponding cybersecurity standards effort. APTA Recommended Practice, Securing Control and Communications Systems in Transit Environments, Part 1: Elements, Organization and Risk Assessment/Management, was published in July 2010. Part II: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones was published in 2013. Part 3a: Attack Modeling Security Analysis was published in early 2015. Part 3B: Protecting the Operationally Critical Security Zone is anticipated at a later date. ⢠Because the highway mode was not actively developing control systems cybersecurity standards at the time of the DHS Standards Strategy publication, DHS has begun to engage standards development organizations (SDOâs) and federal agencies to create a highway ICS working group. The focus of the group will be identifying and classifying common highway ICS systems as a start to create a highway ICS cybersecurity standard. ⢠Pipeline mode has developed ICS cybersecurity standards. API Standard 1164: Pipeline SCADA Security was published in 2009. Control Systems Cybersecurity Guidelines for the Natural Gas Pipeline Industry was published in 2011. DHS and the Department of Transportation John A. Volpe National Transportation Systems Center (Volpe Center) issued A Roadmap to Secure Control Systems in Transportation in 2012. The document views cybersecurity and ICS as inseparable and integrated throughout the transportation sector. The major goals of the Roadmap are: ⢠to build a "culture of cybersecurityâ that includes an ICS cybersecurity governance model and a cybersecurity awareness training program ⢠to assess and monitor risk that includes identifying risk management framework and standards, roles and responsibilities, and developing and implementing a risk management model and strategy
121 ⢠to develop and implement risk reduction and mitigation measures such as securing interfaces between ICS and other systems and encouraging development of self- defending technologies built-in to the ICS infrastructure ⢠to manage incidents including research new effective detection and response tools. Near- term objectives focus on assessing risk, with long-term objectives focused on establishing continuous and automated risk monitoring programs and regularly measuring risk management performance. National and Regional Support Resources As part of these federal initiatives, a number of national and regional support programs have been established, summarized below. US Department of Transportation (USDOT) Cybersecurity Action Team The US Department of Transportation (USDOT) developed a Cybersecurity Action Team, as part of Executive Order 13636, to implement o the Departmentâs Cyber Incident Response Capability Program. The team monitors, alerts and advises the ITS and surface transportation communities of incidents and threats, and leverages the extensive body of assessments and research done by Federal Highway Administration (FHWA) staff related to the security threats and vulnerabilities of the United Statesâ transportation systems. US-CERT and Industrial Control Systems (ICS-CERT) Cyber Information Sharing and Collaboration Program The US Computer Emergency Readiness Team (US-CERT), part of DHS' National Cybersecurity and Communications Integration Center (NCCIC), provides technical assistance, coordinates cyber information sharing and proactively manage cyber risks through its 24x7 operations center. US-CERT distributes vulnerability and threat information through its National Cyber Awareness System (NCAS), and operates a Vulnerability Notes Database to provide technical descriptions of system vulnerabilities. Incident Hotline: 1-888-282-0870 Website: https://www.us-cert.gov/ The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) operates cybersecurity operations centers focused on control systems security as part of the National Cybersecurity and Communications Integration Center (NCCIC). The team: ⢠Responses to and analyses industrial control systems (ICS) related incidents ⢠Provides onsite support for incident response and forensics ⢠Conducts malware analysis ⢠Coordinates responsible disclosure of ICS vulnerabilities/mitigations ⢠Shares vulnerability information and threat analysis through information products and alerts ⢠Provides security awareness training courses (see http://ics-cert.us-cert.gov/Training-
122 Available-Through-ICS-CERT). https://ics-cert.us-cert.gov/ ⢠Transportation Security Administration (TSA) The TSA has authority to regulate cybersecurity in the transportation sector and provides cybersecurity pamphlets, a weekly newsletter, cybersecurity exercise support, and incident- specific threat briefings. TSA has pursued collaborative and voluntary approaches with industry. TSA DHS facilitates the Cybersecurity Assessment and Risk Management Approach (CARMA) for companies requesting assessments. TSA has hosted cybersecurity- focused Intermodal Security Training and Exercise Program (I-STEP) exercises, most recently in August 2014. TSA and its industry partners established the Transportation Systems Sector Cybersecurity Working Group (TSSCWG) to advance cybersecurity across all transportation modes. The TSSCWG strategy, completed in mid-2012, stated, The sector will manage cybersecurity risk through maintaining and enhancing continuous awareness and promoting voluntary, collaborative, and sustainable community action. The TSSCWG is developing implementation guidance for adoption of the NIST Framework. ⢠Other Federal Departments and Agencies National Institute of Standards and Technology (NIST) The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. The Computer Security Division (CSD), a component of NISTâs Information Technology Laboratory (ITL), provides standards and technology to protect information systems against threats to information and services. Executive Order 13636, Improving Critical Infrastructure Cybersecurity (2013) directed NIST to work with stakeholders to develop a voluntary cybersecurity framework â based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. http://www.nist.gov/cyberframework/ A Cybersecurity Framework (CSF) Reference Tool, a runtime database solution, have been created the allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types. http://www.nist.gov/cyberframework/csf_reference_tool.cfm National Institute of Standards and Emergency Technology (CERT®), Source on Insider Threat and Prevention http://csrc.nist.gov/index.html
123 NIST National Vulnerability Database National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data that includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. http://nvd.nist.gov NIST Computer Security Division's Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. The CSRC is the primary gateway for gaining access to NIST computer security publications, standards, and guidelines plus other useful security-related information. http://csrc.nist.gov/publications/PubsSPs.html NIST has published over 300 Information Security guides that include Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Most commonly referenced NIST publications include: ⢠Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook (1995). Elements of security, roles and responsibilities, common threats, security policy, and program management. Initially created for the federal government, most practices are applicable to the private sector. ⢠Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. ⢠Special Publication 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (2014). Learning-continuum model, security literacy and basics, role-based training. ⢠Special Publication 800-30, Risk Management Guide for Information Technology Systems (2012). Risk management, assessment, mitigation. ⢠Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems (2010) ⢠Special Publication 800-39 Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (2011). ⢠Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations (2013). Security control fundamentals, baselines by system-impact level, common controls, and tailoring guidelines that are applied to a system to make it "more secure". ⢠Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, (2008). Security objectives and types of potential losses, assignment of impact levels and system security category.
124 ⢠Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (2014). Overview of industrial control systems (ICS), threats and vulnerabilities, risk factors, incident scenarios, security program development. ⢠Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (2007) ⢠Special Publication 800-100, Information Security Handbook: A Guide for Managers (2006). Governance, awareness and training, capital planning, interconnecting systems, performance measures, security planning, contingency planning. ⢠Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (2010). Identifying, PII, impact levels, confidentiality safeguards, incident response. Recent draft publications include: ⢠Special Publication 800-150 Guide to Cyber Threat Information Sharing, Draft (2014). ⢠Special Publication 800-160 Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, Draft (2014). Information Sharing and Analysis Centers (ISACâs) http://www.isaccouncil.org/home.html The purpose of ISAC is to serve as the conduit for cross-modal lessons learned and best practices in ICS cybersecurity, and to provide a forum for partnership, outreach, and information sharing. ⢠Surface Transportation Information and Sharing Analysis Center https://www.surfacetransportationisac.org/ The ST-ISAC was formed at the request of the Department of Transportation. The ISAC provides a secure cyber and physical security capability for owners, operators and users of critical infrastructure. Security and threat information is collected from worldwide resources, then analyzed and distributed to members to help protect their vital systems from attack. The ISAC also provides a vehicle for the anonymous or attributable sharing of incident, threat and vulnerability data among the members. Members have access to information and analytical reporting provided by other sources, such as the U.S. and foreign governments; law enforcement agencies, technology providers and international computer emergency response teams (CERTâs). ⢠Public Transportation Information Sharing and Analysis Center http://www.apta.com/resources/safetyandsecurity/Pages/ISAC.aspx The PT-ISAC is a trusted, sector-specific entity which provides to its constituency a 24/7 Security Operating Capability that established the sector's specific information/intelligence requirements for incidences, threats and vulnerabilities. Based on its sector-focused subject matter analytical expertise, the ISAC then collects, analyzes, and disseminates alerts and incident reports It provides to its membership and helps the government understand impacts for their sector. It provides an electronic, trusted
125 ability for the membership to exchange and share information on all threats, physical and cyber, in order to defend public transportation systems and critical infrastructure. This includes analytical support to the Government and other ISACâs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions, whether caused by intentional or natural events. ⢠Over the Road Bus Information Sharing and Analysis Center (OTRB ISAC) The OTRB ISAC provides cyber and physical security warning and incident reporting for the OTR transportation segment. Information and news are compiled and extracted from multiple sources by OTRB-ISAC analysts for the purpose of supporting ISAC member homeland security awareness. News alerts and reports are distributed to members by the Over the Road Bus â Information Sharing & Analysis Center (OTRB-ISAC). ⢠MultiState-ISAC (MS-ISAC) http://msisac.cisecurity.org/ The MS-ISAC is the focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, tribal, and territorial (SLTT) governments. The MS- ISAC 24x7 cybersecurity operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification and mitigation and incident response. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a collaborative state and local government-focused cybersecurity entity that is significantly enhancing cyber threat prevention, protection, and response and recovery throughout the states of our nation. The mission of the MS-ISAC is to provide a common mechanism for raising the level of cybersecurity readiness and response in each state/territory and with local governments. The MS-ISAC provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between and among the states, territories and with local government. ⢠Supply Chain ISAC https://secure.sc-investigate.net/SC-ISAC/ISACHome.aspx The Supply Chain ISAC offers the most comprehensive forum for collaboration on critical security threats, incidents and vulnerabilities to the global supply chain. Its mission is to facilitate communication among supply chain dependent industry stakeholders, foster a partnership between the private and public sectors to share critical information, collect, analyze and disseminate actionable intelligence to help secure the global supply chain, provide an international perspective through private sector subject matter experts and help protect the critical infrastructure of the United States. National Cyber Investigative Joint Task Force â Analytical Group In 2008, the U.S. President mandated the National Cyber Investigative Joint Task Force (NCIJTF) to be the focal point for all government agencies to coordinate, integrate, and share information related to all domestic cyber threat investigations. The FBI is responsible for developing and supporting the joint task force, which includes 19 intelligence agencies and law enforcement. http://www.fbi.gov/about-us/investigate/cyber/ncijtf
126 Internet Crime Complaint Center (IC3) The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Internet crime complaints are reported online on the IC3 site. IC3 analysts review and research the complaints, disseminating information to the appropriate federal, state, local, or international law enforcement or regulatory agencies for criminal, civil, or administrative action, as appropriate. http://www.ic3.gov/default.aspx InfraGard InfraGard is a partnership between the FBI, state and local law enforcement agencies, and the private sector - businesses, academic institutions and other participants - dedicated to sharing information and intelligence to prevent hostile acts against the U.S. With over 80 chapters, InfraGard chapters conduct local meetings pertinent to their area. https://www.infragard.org/ National Cybersecurity Center of Excellence (NCCoE) Established in 2012 through a partnership among NIST, the State of Maryland and Montgomery County, the National Cybersecurity Center of Excellence is dedicated to furthering innovation through the rapid identification, integration and adoption of practical, standards-based cybersecurity solutions. http://nccoe.nist.gov/
