Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

38 Chapter 3 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities Security Planning Security planning directs a transportation agency towards prevention and mitigation of the effects of security incidents by integrating those approaches that have proven to be successful into the operating environment. Development of a security plan provides an effective means to meet cost-benefit and competitive resource challenges. The plan can also reduce litigation risk and insurance costs. When the security plan is well structured and soundly developed using the appropriate strategies and elements, the resulting product can be a blueprint for short term and multi-year security planning. Security planning also sets out the policies and procedures related to security and any special requirements or considerations that are unique to the specific transit agency or state DOT. The objective of security planning is to ensure both the integrity of operations and the security of assets. Transportation agencies already have planning processes and plans that address critical infrastructure protection and resilience, continuity of operations and operational issues such as incident management, equipment failures and other natural or accidental event. Planning for cybersecurity should result in the integration of security systems and processes into an agency’s existing planning processes and daily business routine. This section includes an overview of planning recommendations, guidance for specific types of plans (cyber incident response plans, recovery plans) and a summary of recommended strategies to address cybersecurity of transportation systems. Cybersecurity is not different than physical (or any other type of) security in that is an on- going effort that involves people and processes along with technology. Agency people – management, staff, contractors, vendors, etc. – must be aware of the need for security and educated on the security policies and procedures in place in the agency. The agency security strategy must be supported with specific policies and procedures tied to a matching organizational structure. A security plan is a written document containing information about an organization’s security policies, procedures, and countermeasures. The plan should include a concise statement of purpose and clear instructions about the agency security requirements... Creating a sound security plan is often as much a management issues as it is a technical one – It involves motivating and education managers and employees to understand the need for security and their role in developing and implementing an effective and workable security process. Organizational leaders must ensure that security planning is an actual functional activity and part of the agency’s culture. NCHRP Report 525 Vol 14, Security 101: A Physical Security Primer for Transportation Agencies

39 APTA, in Recommended Practices for Control and Communications Systems, recognizes cybersecurity as a process that should be incorporated into the transportation agency culture. Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture. This requires an awareness program; a training program; an assessment of cybersecurity threats; a reduction of the attack surface (the number of places and ways someone can attack transit systems); a cybersecurity program that addresses: threats, mitigations, the software/firmware update process, monitoring and detection methodologies; and the ability to be audited to check for compliance via logs and change-management systems. APTA Recommended Practices, Part 2 Cybersecurity planning should incorporate, at the minimum: • Security strategy that expresses management’s commitment to cybersecurity and provides the high-level direction and requirements for cybersecurity in the agency. • Security policies that address the range of management, personnel, operational and technical issues and guide the development, implementation and enforcement of the agency security measures. • Roles and responsibilities that clarify decision- making authority and responsibility for cybersecurity. • Vulnerability and risk assessments to identify the agency-specific security requirements and assist in prioritization of risk management efforts. • Development and Maintenance of cybersecurity plans including Risk Mitigation/ Management and Response/Recovery plans. • Active monitoring and evaluation on a continuous basis. • Awareness and Training for all agency employees. When planning for cybersecurity, some principles should be kept in mind: • Address cybersecurity planning in a systematic way, with a commitment to a process of continuous improvement. Even with unlimited resources, it is not possible to eliminate all vulnerabilities and risks. Take a balanced approach that focuses on standards and incorporates learning from experience. • Any cybersecurity program should be approached using risk management practices as a guide. Evaluate the agency’s specific cyber risks and develop the cybersecurity plan around managing those risks. • An organizations security policy and controls must be adaptable to emerging threats in a constantly evolving world. Vulnerabilities are evolving and new risks are growing by the hour. Maintain situational awareness of cyber threats – both intentional and unintentional – as part of the plan. • Failure will happen so it is important to plan for it, isolate it, contain its damage and recover from it gracefully. It is important to recognize that perfect security is not possible and that everything cannot be mastered. Planning ahead – having a Cyber Response and Recovery Plan - can ensure less damage from an incident.

40 Guidance exists for general cybersecurity plans, e.g. NIST SP 800 series. However, to date, no comprehensive guidance has been developed to provide support for a transportation agency cybersecurity plan. The Roadmap to Secure Control Systems in the Transportation Sector (DHS, 2012) was developed to assist transportation agencies develop plans and the culture needed to sustain those plans. Guidance tailored for other sectors (e.g. nuclear, electrical and water) also has relevance for the transportation sector. APTA Recommended Security Program APTA Recommended Practice Securing Control and Communications Systems in Rail Transit Environments, Part 1 presents a four-phase transit control and communications systems security program which helps transit agencies manage cyber risk of those systems. The goal of a security program – one part of a security plan - is to identify risks and understand their likelihood and impact on the transportation system, put in place security controls (or countermeasures) that mitigate the risks to a level acceptable to the agency; and have in place response and recovery plans to minimize the impact of incidents and reduce the time to needed to get the system back to normal operations. The overall recommendations developed by the APTA are based on NIST standards (i.e. SP 800-18, SP 800-53) and presents a four-phase control and communications systems security program to manage the cyber risk of those systems. The goal of the security program is to identify risks and understand their likelihood and impact on the transportation system, put in place security controls (or countermeasures) that mitigate the risks to a level acceptable to the agency; and have in place response and recovery plans to minimize the impact of incidents and reduce the time to needed to get the system back to normal operations. Plan implementation requires support from senior management, system users, maintenance personnel, support staff, and system and equipment vendors. The four phases of the security program are: • Phase 1 – Security plan awareness, establishment of a security team and risk assessment funding • Phase 2 – Risk assessment and security plan funding • Phase 3 – Security plan development and security countermeasures • Phase 4 – Implementation of security plan measures and maintenance plan Phase 1 Phase 1 requires management to understand the importance of cybersecurity countermeasures and the implications of a security breach within a transit environment. Senior managers establish the “tone at the Top” and lead by example to demonstrate the importance of cybersecurity to the agency and to foster a healthy respect for the programs and process put in place to support security. The senior managers establish the business objectives for security and the organizational roles/responsibilities. They provide the needed support - awareness, training and funding - for the organization’s security program. The leadership establishes and maintains the organizational “attention span” for cybersecurity. In order for this to take place, senior managers must first understand why cybersecurity

41 is necessary. Technical personnel must explain to senior management the various impacts of a breach on life safety, equipment safety, revenue service, customer service and satisfaction. Key activities based on best practices for this phase include: • Ensuring active executive sponsorship for each stage of planning, deploying and monitoring cybersecurity efforts, which is critical to success of the efforts. Executive management will set the security objectives and align the strategic risk management with overall agency needs. • Assigning responsibility for cybersecurity risk management to a senior manager so that risk mitigation, resource allocation decisions and policy enforcement all roll up to a clearly defined executive with the requisite authority. • Defining the system(s) and critical cyber assets that need to be secured along with their classification (e.g. operational systems, payment systems, confidential information, PII, etc.) to assist in making informed decisions about risk severity and impact to the agency Phase 2 Phase 2 focuses on Risk Assessment of both physical and cyber elements to identify vulnerabilities and the likelihood of a loss of functionality due to system and/or component failure. The end state, as described in the Transportation Roadmap (2012) is “a robust portfolio of ICS-recommended security measures and analysis tools to effectively assess and monitor ICS cybersecurity risk.” An important part of this phase is the risk assessment process, which was discussed in detail in the previous chapter. APTA recommends that this stage of the process include the following: 1. Generate management support and empowerment for the risk-assessment process. 2. Form the risk assessment team from technical experts and stakeholders. 3. Identify assets and loss impacts. 4. Identify threats to assets. 5. Identify and analyze vulnerabilities. 6. Assess risk and determine priorities for the protection of critical assets. 7. Identify countermeasures, their costs and trade-offs. The assessment will involve the identification of all systems and assets and location of the equipment; access points that require cybersecurity; and users and their access levels/points. In addition, the Risk Assessment determines and quantifies the consequences of the loss of functionality and recommendations for the mitigation of the risks. The likelihood of functionality loss will be determined by system analysis and assessing the impact of failure (e.g., monetary, operations, life safety, infrastructure, equipment) for each component (hardware or system link). Ensuring that cybersecurity risks are incorporated in the agency’s overall risk management process is key. Identifying vulnerability and responding adequately to cybersecurity risks is not about knowing where cybersecurity can be improved, but knowing where it meets the level of collectively acceptable risk for a program, agency, organization, or region. In addition to APTA Recommended Practice, Part 1 and Part 2, sources of information on

42 understanding cybersecurity risk and risk management include the NIST Cybersecurity Framework, NIST SP 800-39 on Managing Information Security Risk, NIST SP 800-100 Information Security Handbook: A Guide for Managers, DHS USCERT’s Risk Management/CEO Recommended Practices, DHS USCERT’s Guide on CEO Questions to Ask, and the Guide to Developing a Cybersecurity and Risk Mitigation Plan. Phase 3 Phase 3 is the development of the security plan and cyber and physical security countermeasures for new and existing systems and equipment. The plan should also cover equipment maintenance and support issues. APTA recommends that the security plan should contain the following elements: Control and communications systems boundaries: • Identify the systems. • Identify the equipment. • Identify the locations. • Identify the stakeholders. Work group: • Include all stakeholders. • Identify responsibilities of the stakeholders. Policies and procedures: • Administrative • Technical • Cyber • Physical • Maintenance Security measures: • Management reports • Maintenance issues • Training Phase 4 Phase 4 is the implementation of the security plan through the establishment of a security plan management system and a maintenance plan. Much of this Phase will be described in APTA Recommended Practice, Part 3. Part 3 will continue to address security zones and introduce Attack Modeling for rail transit. Establishing Priorities NIST Cybersecurity Framework To assist in implementing an approach that is focused on standards, the National Institutes of Standards and Technology (NIST), working with industry groups and the private sector, has developed a framework of baseline standards for cybersecurity. The NIST Cybersecurity Framework, as called for in Executive Order 13636, in February 2014 to assist organizations in managing their cybersecurity risk. With an understanding of risk tolerance, organizations can prioritize cybersecurity

43 activities, enabling organizations to make informed decisions about cybersecurity expenditures. Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs. Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments. The NIST Framework is technology neutral and relies on existing standards, guidance, and best practice to provide “a common language for describing current and target states of security, identifying and prioritizing changes needed, assessing progress and fostering communications with stakeholders. It is meant to complement, not replace, existing cybersecurity programs”. The Framework is designed to provide a common taxonomy and mechanism for organizations to: • Describe their current cybersecurity posture; • Describe their target state for cybersecurity; • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; • Assess progress toward the target state; • Communicate among internal and external stakeholders about cybersecurity risk. Figure 6: Cybersecurity Risk-Based Framework. Source: NIST Cybersecurity Framework, 2014.

44 Figure 7: NIST Framework Implementation Steps. Adapted from Energy Sector Cybersecurity Framework Implementation Guidance, US Department of Energy 2015 Step Inputs Activities Outcomes 1 Risk management strategy Organizational objectives and priorities Threat information Determine where to apply Framework to evaluate and guide cybersecurity capabilities Scope of Framework in Organization 2 Risk management strategy Framework Scope Identify in-scope systems and assets Identify standards, guidelines and tools Systems & Assets Cybersecurity requirements & standards 3 Evaluation approach Systems and Assets Requirements and Standards Identify current cybersecurity and risk management state Current Profile 4 Risk management strategy Evaluation approach Systems and Assets Requirements and Standards Perform risk assessment Risk Assessment 5 Current Profile Organizational objectives Risk management strategy Risk assessment reports Identify goals to mitigate risk consistent with organizational goals and critical infrastructure objectives Target Profile 6 Current Profile Target Profile Organizational objectives Organizational constraints Risk management strategy Risk assessment Analyze gaps between current and target profile Evaluate consequences from gaps Prioritize actions (cost-benefit analysis, consequences) Create action plan Prioritized gaps Prioritized implementation plan

45 7 Prioritized implementation plan Implement actions by priority Track progress against plan Monitor/evaluate progress against risks, metrics and performance indicators Project tracking Data New security measures implemented Case Study – Idaho Transportation Department (ITD) The Idaho transportation department has jurisdictional responsibility for almost 5,000 miles of highway (or 12,000 lane miles), more than 1,700 bridges, and 30 recreational and emergency airstrips. ITD also has responsibility for the Department of Motor Vehicles (DMV) as one of DOT functions, with the resultant need to protect state residents PII found in driving permits, driver's licenses, and other related information. With a significant black market value for Social Security and driver's license numbers, this added incentives to the challenge of improving the cybersecurity of the agency. ITD looked at frameworks and approaches to support their efforts. ISO standards were being used at the agency and the team reviewed SANS 20 guidance before deciding to utilize the NIST Framework. The NIST framework provided a common set of terms and values so that the agency could create metrics on movement towards goals - what investment looked like in terms of agency-specific goals and the work accomplished to address identified gaps. The framework gave the agency a structure for demonstrating ROI for the investment of resources, employees and tools that reduced the cyber risk of the agency. To implement the framework at ITD, the agency needed to identify its cyber-related goals (the primary focus was security of DMV related information) and then do an internal analysis on where the current systems were in terms of recommended guidance. The agency went through each NIST framework function (identify, protect, detect, response, recover) by category and subcategory, to assess by tier - a scaled that ranged from partial, through risk informed, then repeatable to adaptive - where the agency’s cybersecurity efforts currently were. ITD added a zero to the scale, recognizing that in some categories and subcategories, the agency either had not been aware, or may not have been addressing certain aspects of security. Based on their experience, ITD recommends setting targets first before conducting the assessments. They caution about setting targets too high, which can result in high cybersecurity costs. Because the targets can be reset over time, the agency recommends focusing on agency-specific cybersecurity risks. For example, for securing customer information ITD considered each function category based on value he data. of data. ITD found the one of the most difficult parts of the process was understanding how recommended cybersecurity and countermeasures guidance documents such as NIST SP 800 series documents applied to a transportation agency since some were initially geared to federal agencies to address FIPS compliance. It was a challenge to ITD team doing work, but the results were worth it. ITD forced to take hard look at their systems and current approaches and to ask hard questions, especially in deciding how to score the agency. They had to decide on

46 agency goals, which forced them to take a holistic view of whole program. The NIST Framework does not include metric charts and graphical representation in the guidance, so what ITD developed their own to use. They wanted to create metrics to represent in graphical format what investment looked like, e.g. how the agency was moving toward the goals. The agency created a chart that summarized the tier assessments by function and that information is presented to leadership on a regular basis. The figure below provides an illustration used by ITD with quarterly results. Goals have been set for each function based on the priorities set by the agency. ITD found that over time, as it became more cybersecurity- adept, the scoring became "harsher" than the initial assessment over time, so in some instances the tier was less in a subsequent quarter. Note: Other organizations have created metrics adapted NIST Framework to easily convey to management their risk treatment plan and results. University of Michigan utilizes a hi/med/low rating instead of the scoring system used by Idaho. Figure 8: Example of ITD NIST Framework Quarterly Goal Tracking The process allowed the IDT team to successfully address the cybersecurity funding challenges of how much budget is available and where in the agency does the budget come. Initially, there was a one person cybersecurity team with tools being paid from business area budgets. Using the NIST framework and the graphic ‘results’ chart, support from senior management was easier to obtain. The chart provided a way to show the agency cyber risk as part of a holistic, ‘big picture’ and could demonstrate the ROI - making the DOT more secure. Defense in Depth Approach Defense-in-Depth Strategy is a high-level recommended approach for cybersecurity countermeasures. The approach involves multiple layers of defenses protecting critical assets and systems. The approach does not focus on a few countermeasures but a range of

47 them from perimeter defense to policy and procedures to training and awareness. The figure below presents the Defense in Depth strategic framework. Defense in Depth was created by the NSA and has been adopted as a recommended practice by the DHS-CSSP. APTA has adopted this strategy for the protection of rail transit communications and control systems. Figure 9: Cyber Defense-in-Depth Strategic Framework Source: DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies, 2009 A Defense in Depth strategy begins with understanding and measuring the risks faced by the agency, using resources to mitigate the risks, identifying overlapping areas of core competencies of resources, using appropriate security standards and customizing or creating specific controls for the agency. The strategy is based on having the aggregate of all security activities provide complete protection for an organization’s ICS. (DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense- In-Depth Strategies, 2009) This strategy promotes cybersecurity through: “increasing the amount of time and number of exploits needed to successfully compromise a system; increasing the likelihood of detecting and blocking attacks; allowing security policies and procedures to better align with agency organizational structure; and directly supporting the identification and implementation of cybersecurity risk (or impact) zones.” (APTA Recommended Practice Part 2) A key aspect of the strategy is the division of systems architecture into zones with each zone having its own defensive strategy and monitoring and securing zone boundaries and any necessary connections among zones. Zones are identified based on security requirements and

48 may be one of two types of zones – architectural or risk zone. Architectural zones are physically distinct areas managed by separate business units. Risk zones or impact zones group functions based on impact type and may be under the purview of more than one business unit. The example provided by DHS in the Recommended Practice (2009) is a Zone Model for Manufacturing. The Model contains five zones: external, corporate, manufacturing/data, control/cell, and safety; each zone is prioritized according to security requirements. Specific aspects of the strategy include the following: • Develop ICS-specific security policies, procedures, training and educational content and address security throughout the ICS lifecycle • Align ICS security policies and procedures with threat level • Separate ICS and corporate networks by using appropriate network architecture and providing logical separation. • Ensure availability by implementing redundant critical components (or networks) and designing fault tolerant critical systems to avoid cascading events • Restrict physical and virtual access through separate authentication for ICS and corporate networks, and user privileges should be based on the principle of least privilege. • Prevent, deter, detect, and mitigate introduction, exposure, and propagation of malware through security controls, security patches, and disabling unused ports and services after testing; and tracking and monitoring audit trails to detect patterns and identify vulnerabilities • Zones – a key aspect of the strategy is the division of systems architecture into zones with each zone having its own defensive strategy and monitoring and securing zone boundaries and any necessary connections among zones. Zones should be identified based on security requirements. There are two types of zones – architectural and risk zones. Architectural zones are physically distinct areas managed by separate business units. Risk zones or impact zones group functions based on impact type. Risk zones may be under the purview of more than one business unit. (The example provided by DHS is a Zone Model for Manufacturing. The Model contains five zones: external, corporate, manufacturing/data, control/cell, and safety; each zone is prioritized according to security requirements.) It should be noted that Defense-in-Depth does not eliminate all vulnerabilities and risks in a system. Recent research (Firefly, 2014) found that 97% of systems utilizing a Defense-in- Depth approach were still found to have been compromised. Security Zones Approach With limited resources and budgets, it is impossible to protect all systems and apply all recommended countermeasures and approaches to the fullest extent. To address this reality, taking a zoned approach can help in the prioritization of efforts.

49 APTA Recommended Practice defines security zone classifications and recommends minimum set of security controls for most critical zones. To implement this approach, it is important for an agency to identify and place its functions/systems in a series of security zones. The following are the three security zones identified by the APTA CCSWG in APTA Recommended Practice, Part 2, presented in increasing level of safety criticality: • Operationally Critical Security Zone (OCSZ) – This is the control center zone and includes the SCADA, train control, traction power, dispatch, passenger information system and associated equipment. • Fire, Life-Safety Security Zone (FLSZ) – The systems in this zone warn, protect or inform in an emergency. Systems include emergency management panels, emergency ventilation systems, fire detection and suppression systems, and traction power emergency shutdown systems. • Safety Critical Security Zone (SCSZ) – The systems in this zone are those that if modified can present immediate threat to life or safety. Vital signaling, interlocking and ATP are examples of such systems. There are two additional zones associated more with IT than with control systems the Enterprise Zone which includes accounting systems and schedule systems and the External Zone which includes communications with the internet and vendors. Table 1: APTA Cybersecurity Zones Importance Zone Example System Most Critical Safety Critical Security Field signaling Fire, Life-Safety Security Fire Detection/suppression Operationally Critical Traffic Management Enterprise HR, Accounting Most Public External Communications with public, vendors, others The model security zone chart in Figure below depicts the location of these zones in different areas of the rail transit system.

50 Figure 10: Model Control & Communications System Categories Source: APTA Recommended Practices, Part 2 APTA Recommended Practices Part 2 recommends combining Defense in Depth with Detection in Depth. Detection in Depth detects intruders and implements detection for each zone and layer. It is based on the concept of least privilege, which initially restricts all outbound traffic and subsequently permits only necessary outbound connections. To assist transit agencies in implementing the approach, an example transit system shown in the Figure below provided in APTA Recommended Practice, Part 2. The model transit system has seven stations, two lines, passengers, vendors, and staff; the staff is divided into various groups such as the signals and communications group, track maintenance, fire response, life safety and the operations group.

51 Figure 11: Model Transit System. Source: Figure 5, APTA Recommended Practice, Part 2 Attack Modeling APTA Recommended Practice Part IIIa recommends Attack Modeling Security Analysis as a countermeasure for large or complex projects including upgrades and installation of new technologies. Attack modeling involves the creation of attack trees which depict the series of steps needed for an attack to transpire or a system to become compromised. Attack modeling is formally defined as: “[A] method of detailed security analysis of a control and communications system considering a range of threats and in what ways a system may be attacked. By studying the pathways through which an attack may be carried out, a relative ranking of the risks of system compromise from these threats may be compiled and countermeasures planned to prevent these attacks.” (APTA Part IIIa) Commercial and open source attack modeling software is available to support the analysis process and develop the attack trees. The attack modeling process involves the following steps: 1. Characterize the system 2. Describe normal sequence of operations, along with data flows 3. Decompose operations into sequence diagrams 4. Identify threats to system during operating sequences 5. Build attack trees

52 6. Decision point: evaluation type (short or long method) 7. Use the Short Method or Long Method A Case Study of a hypothetical U.S. transit agency with a conventional fixed-block signaling system is provided in Section 4 of APTA Part IIIa. Organizing Roles and Responsibilities Understanding and defining the roles and accountabilities of the organization’s functions and employees in support of the agency’s security mission and operations are critical. However, it is important to be realistic in what can be supported by the engineering and operational team, the IT support team, and vendors by understanding the technical, legal, and institutional limits under which the support team is operating. It is critical to facilitate discussion and interaction between the IT, engineering and operational groups. Cybersecurity is generally the responsibility of IT personnel. Control systems are usually the responsibility of engineering and operations personnel. Implementing cybersecurity for transportation control systems requires having a good understanding of security AND the controls systems and the operational environments. Utah Transit Agency (UTA) has instituted a cybersecurity program that includes integration of employee training, established governance and procedures, and technical solutions. The agency has established cybersecurity support process that reduces the culture “gap” between IT and operations. Cross-training of transit operational staff with IT was conducted instituted on cybersecurity to allow improved communications and interactions between the divisions. IT staff understood that the ‘T’ in UTA stood for “transit” not “technology”. Some cyber incidents may require outside support. Very few transportation agencies have the expertise and skills to respond to every cyber incident. Including in the risk matrix what risks are manageable by local staff and which ones are not, and understanding when the limit is reached and where to get help is important. The U.S. Department of Transportation (USDOT) developed a Cybersecurity Action Team to support the Incident Response Capability Program. Relationship with Physical Security Cybersecurity cannot be easily separated from physical security. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. Evidence of intrusion into physical assets, especially control system cabinets, devices or terminals, communications devices or networks, is an indicator for a suspected cyber breach. Along with more obvious damage or telltale evidence of intrusion and unreconciled door and/or cabinet alarms, inexplicable loss or behavior of communications links or behavior of control system devices could be indications of physical security breaches. Policies and practices for responding to physical security breaches need to also address cybersecurity, and incorporate considerations that a cyber-related incident may have also occurred.

53 ICS Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites (SANS Analyst Whitepaper, ICS-CERT, 2014) provides recommendations for responses to physical breaches with potential cybersecurity impacts. (NCHRP Report 525 Surface Transportation Security, Volume 14 Security 101: A Physical Security Primer for Transportation Agencies provides additional information and resources on physical security of transportation systems.) SANS/ICS CERT recommends a three level cyber response approach after conducting a physical examination of the location for anything that appears to be missing or out of place. The three levels are: 1. Initial physical examination to assess physical connections, evidence of tampering, alarm status/indicators and unfamiliar or new hardware or media (e.g. USB devices, wireless cards, access points or any other cover hardware devices used to compromise cyber systems). 2. Systems and configuration checks to identify forensic evidence of intrusions such as new user accounts, hidden files, unauthorized configuration changes, and unusual network activity. 3. Detailed examination of files system and binaries, if necessary, to confirm files are clean and uncorrupted, proper configuration of network devices, and no evidence of unauthorized firmware updates. Each level in the response approach requires more technical and operational expertise and closer coordination between the cybersecurity experts and the operational engineers. Along with the skills and of hardware and software installation for the potentially impacted control systems, the appropriate vendors and consultants may need to be involved with the in-house technicians. Procurement Language Guidance for Vendor Contracts Recognizing that cyber systems are often purchased from vendor and not always developed in- house, the U.S. Department of Homeland Security (DHS) worked with industry cybersecurity and control system subject matter experts and the U.S. Department of Energy (DOE) to produce Cybersecurity Procurement Language for Control Systems, published in 2009. The document summarizes security principles that should be considered when designing and procuring control systems products and services (software, systems, maintenance, and networks), and provides examples of procurement language text mapped directly to vulnerabilities of control systems to incorporate into procurement specifications. Created in a process that brought together leading control system security experts, purchasers, integrators, and technology providers and vendors across many industry sectors (e.g., electricity, natural gas, petroleum and oil, water, transportation, and chemical), the guidance was designed to assist both system owners and integrators in establishing sufficient control systems security controls within contract relationships to ensure an acceptable level of risk.

54 The NIST Framework for Improving Critical Infrastructure Cybersecurity, in identifying a common language to address and manage cybersecurity risk, provides a language that may be leveraged in the procurement process – it can be used as a tool to help communicate cybersecurity requirements in the procurement process. The energy sector cybersecurity working group (ESCSWG) - a public- private partnership consisting of asset owners, operators, and government agencies – using the 2009 DHS documents as a foundation developed a baseline cybersecurity procurement language guidance document, Cybersecurity Procurement Language for Energy Delivery System (2014), guided by the NIST Framework. Although it was tailored to the specific needs of the energy sector, the suggested procurement language has relevance for all sectors including transportation. It should be noted that both the DHS and the ESCWG documents focused on the cybersecurity of control systems and did not address cybersecurity-based procurement language for IT. Recommendations for IT cybersecurity procurement are included in the NIST 800 series of publications and other standards and guidance documents. The 2014 energy sector provides baseline cybersecurity procurement language for individual components (e.g., programmable logic controllers, digital relays, or remote terminal units) and individual systems (e.g., a SCADA system, EMS, or DCS). It also “differentiates the cybersecurity-based procurement language that is common to the procurement of individual components and systems from language that is only applicable to individual components or systems. Furthermore, this document differentiates language that is applicable to specific technologies (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP] communication between systems or components, and remote access capabilities)”. There is a section that provides general cybersecurity considerations that apply to many types of products being procured grouped into the following topic areas: • Software and Services • Access Control • Account Management • Session Management • Authentication/Password Policy and Management • Logging and Auditing • Communication Restrictions • Malware Detection and Protection • Reliability and Adherence to Standards A number of procurement language elements presented request summary documentation or verification from the Supplier. For example: The Supplier shall provide summary documentation of procured product’s security features and security-focused instructions on product maintenance, support, and

55 reconfiguration of default settings. Another example: The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic. Additional sections provide language to consider when acquiring intrusion detection systems, focused on physical security considerations and wireless technologies, and on cryptographic technology. As noted in both of the resources cited above, the procurement language presented in the documents is not all-inclusive. Depending on the product and services required by the transportation agency, additional cybersecurity-based procurement language beyond what has been identified in these documents may be necessary. In addition, as the cybersecurity landscape continues to evolve, new threats, technologies, techniques, practices, and requirements may need to be considered during the procurement process. The procurement language will need to evolve to meet the challenges of this changing landscape.