National Academies Press: OpenBook

Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016)

Chapter: Chapter 5 Countermeasures: Protection of Operational Systems

« Previous: Chapter 4 Transportation Operations Cyber Systems
Page 81
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 81
Page 82
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 82
Page 83
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 83
Page 84
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 84
Page 85
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 85
Page 86
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 86
Page 87
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 87
Page 88
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 88
Page 89
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 89
Page 90
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 90
Page 91
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 91
Page 92
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 92
Page 93
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 93
Page 94
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 94
Page 95
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 95
Page 96
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 96
Page 97
Suggested Citation:"Chapter 5 Countermeasures: Protection of Operational Systems." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23516.
×
Page 97

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

81 Chapter 5 Countermeasures: Protection of Operational Systems There are countermeasures and approaches that transportation agencies can utilize to reduce risks and mitigate impacts of cyber incidents. Significant work has been accomplished in cybersecurity, especially in the areas of IT/network security and most recently in control system (ICS) cybersecurity. The National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS), with transportation specific guidance available from APTA and FHWA, have developed recommended practices and standards. There are international standards and recommendations from the International Organization for Standardization (ISO), the Information Systems Audit and the Control Association (ISACA), and Control Objectives for Information and related Technology (COBIT). Security working groups such as the Computer Security Incident Response Team (CSIRT) and the Computer Emergency Response Team (CERT), and ICS CERT, which responds to breaches of cybersecurity, have compiled resources of recommended practices that can be applied across all industries. This section provides high-level approaches to reduce vulnerabilities and mitigate impacts of incidents and an overview by category, of specific areas to address as part of cybersecurity. There are some countermeasure resources that provide comprehensive guidance and recommendations for a broad range of risks. For example The Critical Controls for Effective Cyber Defense (COBIT, 2013) is consensus list of the best techniques that “reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom's Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defence Signals Directorate and government and civilian penetration testers and incident handlers.” The chart on the following page summarizes of the critical controls best practices, ranked by effectiveness in mitigating incidents. The controls are broken into four groups: (1) those that

82 address operational conditions that are “actively targeted and exploited”, (2) those that address known “initial entry points”, (3) those that “reduce the attack surface, address known propagation techniques” and mitigate the impact of an incident, and (4) those related to “optimizing, validating and managing”. Figure 16: : Summary of Critical Controls Best Practices. Source: COBIT As part of the Critical Controls, five "quick wins” or the "First Five" were identified. These controls have been found to be “the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.” The "First Five" address: 1. Software white listing 2. Secure standard configurations 3. Application security patch installation 4. System security patch installation 5. Ensuring administrative privileges are not active while browsing the web or handling email. Recommended practices for cybersecurity typically are grouped into categories. For example, the NIST Cybersecurity Framework includes the following under Protection: • Access Control • Awareness and Training • Data Security and Information Protection • Protective Technology Other categorizations also highlight

83 • Cyber Hygiene • Boundary Defense and Network Separation • Configuration Management The rest of this chapter will address each of these in turn, starting with cyber hygiene – the basic practices that can improve cybersecurity. Cyber Hygiene Annual cybersecurity surveys regularly find that only a small percentage of cyber breaches (3% in 2012) were unavoidable without difficult or expensive actions. • Most successful breaches (more than 90% in 2012) required only the most basic techniques to be eliminated. • Almost all (97% in 2012) of successful breaches could have been avoided if simple or intermediate controls were in place • 75% of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching. (Source: Symantec Internet Security Threat Report Trends and Verizon Data Breach Investigations Report) Common cyber hygiene practices include: 1. Encouraging staff to follow basic security policies and procedures. • Not giving out user names, passwords, or other access codes to anyone. • Not opening e-mails or attachments from strangers. • Not installing or connecting any personal software or hardware to organization’s Basic Rules of Cyber Hygiene • Update systems and software, including keeping patch levels up to date. • Maintain up-to-date antivirus, if available, and apply based on control system vendor recommendations. • Use strong passwords and change default passwords often. • Remove or disable any unused applications or functions. Build systems with only essential applications and components required to perform the intended function. • Limit use of removable storage devices (USB thumb drives, external drives, CDs). • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet. Control System Considerations • IT patching typically requires relatively frequent downtime. Any sudden or unexpected downtime of control systems can have serious operational consequences. • Controls systems may not be able to run anti-virus software. • Control system devices may be hard-coded or "insecure by design". • Control system devices may be exposed to Internet without agency awareness.

84 network or hardware without permission. • Making passwords complex and changing passwords regularly (every 45-90 days). • Keeping anti-virus software current. Regularly downloading and installing vendor security "patches". • Following Bring Your Own Device (BYOD) and mobile device management (MDM) security practices. 2. Removing unnecessary applications and functions from systems. • Reducing or removing general purpose services/interfaces. • Using application specific-least functionality interfaces. • Reducing static open file exchanges (shared folders). • Eliminating hidden hubs. 3. Changing default configuration options and passwords such as manufacturer or vendor's default passwords. Selected Cyber Hygiene Technical Resources: NIST SP 800-118, Guide to Enterprise Password Management NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook. NIST SP 800-40, Creating a Patch and Vulnerability Management Program, 2005. Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003. Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005. NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, 2015. NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Access Control Access control involves maintaining secure access to assets and associated facilities, limiting it to authorized users, processes, or devices, and to authorized activities and transactions. Cybersecurity access control cannot be easily separated from physical security. Inadequate physical security can put cyber assets in cs Co Case A r or m c In the summer 2013, the Center for Internet Security (CIS) was notified of a potential Advanced Persistent Threat (APT) incident at four airports in the U.S. An investigation found it eventually impacted 75 airports with 2 airports confirmed to have been compromised. As summarized in the ICS-CERT Alert on this incident (ICS –ALERT-14- 176-02A), the APT campaign used phishing emails, redirects to compromised web sites and most recently, trojanized update installers on at least 3 vendor web sites, something known as watering hole-style attacks. CIS identified a public document related to the aviation industry that appeared to be the source used by the attackers to select the phishing email victims. This incident is a very real reminder that basic cybersecurity does matter.

85 jeopardy. Physical damage can compromise cyber assets. This section only addresses the cyber components of access control. See NCHRP Report 525 Surface Transportation Security, Volume 14 Security 101: A Physical Security Primer for Transportation Agencies for additional information and resources. Access Control Basics • Use strong passwords and change default passwords often. • Restrict physical access to the network and remote devices. • Disable unused ports and services on ICS devices after testing to assure this will not impact ICS operation. • Restrict user privileges to only those that are required to perform each person’s job (i.e., establish role-based access control and configure role based on principle of least privilege). • Consider the use of two-factor authentication methods for accessing privileged accounts or systems. • Consider using separate authentication mechanisms and credentials for users of the TMS system network and corporate network. • When remote access is required, consider deploying two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access. Be prepared to operate without remote access if required. Control System Considerations • Apply appropriate access controls to all field devices such as ramp/gate/signal controllers, dynamic messaging signs, switches, and signaling devices. • Secure remote access channels, e.g. place remote devices on private networks if possible. • Disable telnet, webpage, and web LCD interfaces if not needed. Effective access control includes applying the concept of least-privilege. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. It is also recommended to place controls between network segments, if possible, to limit congestion and cascading effects which will mitigate the effects of an incident that does occur. In addition, it is important to identifying controls to minimize the consequences from human error and other unintentional incidents such as equipment failure.

86 Selected Access Control Technical Resources: NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008. NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007. NIST SP: 800-57 Recommendation for Key Management, March 2007 Part 1, General (Revised) Part 2, Best Practices Part 3, Application Specific Key Management Guidance (Draft), October 2008 NIST SP 800-82 Rev 1, Guide to Industrial Control Systems (ICS) Security, May 13, 2013. Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003. Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007. NIST SP: 800-118, Guide to Enterprise Password Management NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook. Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005. NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, 2015. NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, 2013. Data Security and Information Protection Transportation agencies have a broad range of data collected and stored on their networks. Along with traffic control and system data, there is personally identifiable information (PII) of employees, contractors and often, customers. Agencies may have credit card information and a few, those which have responsibility for the state Department of Motor Vehicles (DMV) have extensive customer personal information. Data security means that information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality (preserving authorized restrictions on information access and disclosure), integrity (guarding against improper information modification or destruction), and availability (ensuring timely and reliable access to and use of information) of information. NIST SP800-53Recommended Security Controls for Federal Information Systems and cce Co Case Dy m c Me g In recent years, dynamic message signs have been a frequent target for mischief. With instructions online and default passwords never reset, anyone could, and did, change the signs to show humorous or profane messages. In 2014, a hacker calling himself Sun Hacker, remotely accessed a DOT network and changed multiple signs at once. This demonstrated to the FWHA and ICS-CERT the ability to do more serious damage. As summarized in the ICS-CERT Alert on this incident (ICS –ALERT- 14-155-01A), there was initial concern that the units involved had hard-coded passwords but the vendor confirmed that changes could be made during unit installation.

87 Organizations includes an extensive catalog of management, operational and technical security controls that can be applied to transportation agencies as well. Data Security and Information Protection Basics • Protect data-at-rest and data-in-transit with encryption, when possible. Move data between networks using secure, authenticated, and encrypted mechanisms. Perform an annual review of algorithms and key lengths in use for protection of sensitive data. • Implement protections against data leaks and loss. Data Loss Protection controls are policy based and include classifying sensitive data, identifying sensitive data across the agency, enforcing data security controls, and on-going reporting and auditing to ensure policy compliance. • Ensure that data assets are formally managed throughout removal, transfers, and disposition. Backups of data and information are conducted, maintained, and tested periodically. Data is destroyed according to security policy. • Adequate data capacity is maintained to ensure availability. • Review cloud provider security practices for data protection. • Integrity checking mechanisms are used to verify software, firmware, and information integrity. • The development and testing environment(s) are separate from the production environment. Control System Considerations • Communications protocols used in control systems environments are different from IT protocols. • Available computing resources (including CPU time and memory) are limited, so may not have enough memory and computing resources to support addition of security capabilities. • Some of the operating systems and applications running on ICS may not operate correctly with commercial off-the-shelf IT cybersecurity solutions. In some instances, vendor license and service agreements may not allow third-party cybersecurity solutions. • Encryption capabilities, error logging and password protection may not be available.

88 Selected Data Security Technical Resources: NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, 2013. NIST SP: 800-57 Recommendation for Key Management, March 2007 Part 1, General (Revised) Part 2, Best Practices Part 3, Application Specific Key Management Guidance (Draft), October 2008 NIST SP 800-82 Rev 1, Guide to Industrial Control Systems (ICS) Security, May 13, 2013. NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook. Boundary Defense and Network Separation Protecting the boundaries of systems and separating networks are critical to cybersecurity. The edges of systems – for many reasons – are the most vulnerable spots. Implementing technical defenses such as firewalls are a common recommended practice. A strong system of network firewalls includes an external firewall to protect from unauthorized persons trying to get into the network and internal firewalls to wall off different departments/divisions. Those areas that contain the most critical applications and sensitive or valuable information should have particularly robust protections from each other. As many sources have noted, firewalls are not complete solutions. There are coverage and accuracy issues that have to be considered, along with the likelihood that individual components have direct or wireless connections to the Internet through unknown or unapproved channels. For example, printers on the network may have wireless connections. For SCADA and control system networks, the connections between remote field devices, e.g. remote access units (RTU) or programmable logic controllers (PLC), to the master terminal unit (MTU) are of primary concern. Firewalls between MTUs and RTUs are critical in any system architecture. However, because commercial firewalls do not generally support SCADA protocols, SCADA protocols and the types of ports using the protocols have to be identified and opened in the firewalls for the system. Unfortunately, security experts have long known that one of the great vulnerabilities in a network is the inadvertent opening of ports that can be attacked. Providing adequate network segmentation between control and business networks is another Da Secur Case omer f rm e ke In 2011, Internet activist group Anonymous defaced a transit agency’s customer facing website and released the personal contact information of agency users. As part of a political protest, Anonymous posted what it said was the User Database and included names, addresses, phone numbers and email accounts. In a group statement about the posting, Anonymous told customers to contact the transit agency and “ask them why your information wasn’t secure with them.”

89 recommended practice. In some transportation systems, physical isolation of one network from another or air gapping, has been considered as a security technique. In the past, transportation systems may have been closed proprietary systems protected by “air gaps” and “security by obscurity”, but over time isolated systems shifted to more connected systems including connectivity to safety-critical control systems found in vehicles and in Advanced Traffic Management Systems. In addition, due to the human factor there is no true air gap. Users can, and often do create, a connection through external devices (using USB sticks, thumb drives, laptop connections, VPN, DVDs, etc.) The following figures provide a typical highway transportation system network and recommendations. Boundary Protection and Network Separation Basics • Provide logical separation between the corporate and control system networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways). • Employ a DMZ network architecture (i.e., prevent direct traffic between the corporate and control system networks). • Disable unused ports and services on control system devices after testing to assure this will not impact operation. • When remote access is required, consider deploying two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access. Be prepared to operate without remote access if required. Control System Considerations • Commercial firewalls do not generally support SCADA/control system protocols. • Secure connections between remote field devices, e.g. remote access units (RTU) or programmable logic controllers (PLC), to the master terminal unit (MTU).

90 Figure 17: Typical Transportation System Network with Countermeasures Figure 18: Typical Transportation System Network without Countermeasures

91 It is critical to be aware of how and what systems are connected in agency networks. For example, it is not uncommon to connect HVAC equipment to the rest of the network. The access for the 2013 Target credit card breach was through the HVAC system. After the Target incident, an estimate was made of vulnerable HVAC systems and over 55000 internet connected systems were found. Most may not even be aware the HVAC system can be found through the web and may not be paying attention to the connections it has to other systems on the network. Selected Boundary Protection and Network Separation Technical Resources: NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008. NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007. NIST SP: 800-57 Recommendation for Key Management, March 2007 Part 1, General (Revised) Part 2, Best Practices Part 3, Application Specific Key Management Guidance (Draft), October 2008 Configuration Management Transportation networks, and especially traffic control systems and field devices, require active configuration and maintenance. As delivered from manufacturers and resellers, default configurations from the manufacturers and vendors are designed for easy deployment, not for security. Network devices may have open services and ports and support for older (vulnerable) protocols. Not only must the systems and devices be secured upon installation, their ongoing management and maintenance needs to be secured as well, and must be capable of managing changes and adapting to new vulnerabilities or the emergence of new threats. Secure standard configurations one of the COBIT Critical Controls First Five or five "quick wins” - “the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.” NIST 800-82 Guide to Industrial Control Systems (ICS) Security summarized the “most successful method for securing control systems” is to gather industry recommended practices and draw on wealth of information available from standards organizational activities. or Se r Ca e HVAC em It is not uncommon for HVAC equipment to be connected to enterprise networks. An FBI Cyber Alert noted that 55,000+ HVACs had known vulnerabilities. Best practice for any system would be to have it on a separate network, if possible, and to understand any remote access used by the vendor for maintenance and monitoring of the HVAC system.

92 Configuration Management Basics • Create and maintain a baseline configuration of information technology and control systems. • Follow strict configuration management. Security configuration of devices should be documented, reviewed, and approved as consistent with agency cybersecurity policy. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. • All new configuration rules should be documented and recorded in a configuration management system, with a specific business reason for each change and an expected duration of the need. • Verify standard device configurations to detect changes. All alterations to such files should be automatically reported to cybersecurity personnel. • Restrict access to configuration settings and ensure the configuration change control processes are in place. • Build and maintain a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this secure image should be integrated into the organization's change management processes. Control System Considerations • Negotiate contracts to buy systems configured securely out of the box. • Security settings of IT products should be set to the most restrictive mode consistent with control system operational requirements. • Ensure that all modifications to control system network meet security requirements identified in risk assessment and mitigation plans. Selected Configuration Management Technical Resources: NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook. NIST SP: 800-70, Rev. 3 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers, 2015. NIST SP 800-82 Rev 1, Guide to Industrial Control Systems (ICS) Security, May 13, 2013. NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Critical Controls for Effective Cyber Defense, 20 Critical Security Controls – Version 4.1, March 2013 Bring Your Own Device (BYOD) Recommended Security Practices Replicating traditional cybersecurity policies to address mobile devices and other employee or contractor owned consumer devices – known as Bring Your Own Devices (BYOD) – may be impractical, if not difficult. Privacy is a major concern in consumer owned devices, which

93 raises the issues of separating agency data from private data. Applying controls to the data rather than the device may be a more practical solution. There are a number of recommended security practices that address BYOD. A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (2012) was developed by based on lessons learned from successful BYOD programs. Management policies and risk assessment have been found to be critical to BYOD cybersecurity. Selected BYOD Resources: Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing Bring Your Own Device, Digital Services Advisory Group and Federal Chief Information Officers Council, August 23, 2012 Bring-Your-Own-Device Cybersecurity Basics • Assess and document risks in information security (operating system compromise due to malware, device misuse, and information spillover risks); operations security (personal devices may divulge information about a user when conducting specific activities in certain environments) and transmission security (protections to mitigate transmission interception). • Consider data sensitivity when reviewing apps in use and conducting a risk assessment. Clarify ownership of the apps and data. • Identify permitted and supported devices to prevent introduction of malicious hardware and firmware. Recommend an approach to content storage (e.g. cloud vs. device). • Controls should be applied to the data rather than the device. Set operational principles on the use of allowed cloud services. • Define content applications that are required, allowed, or banned and consider use of mobile device management (MDM) and mobile application management (MAM) enterprise systems to enforce policies. • Address app compatibility issues (e.g., accidental sharing of sensitive information due to differences in information display between platforms) • Keep policies and processes up to date. Employee agreements that address wiping personal and corporate data must be active, not passive, with signatures and human resource record.

94 Monitoring and Detection Many resources have cited the importance of monitoring, logging, and analyzing successful and attempted intrusions to systems/networks as a critical component of cybersecurity. These elements are essential to “establishing a continuing process for security improvement”. APTA Recommended Practice: Securing Control and Communications Systems in Rail Transit Environments Part II includes a companion concept to Defense-in-Depth - Detection-in- Depth, a “way to detect that an intruder has gained access”. The Practice recommends that detection methods be created for each zone and defensive layer. It is recommended that anomalies, successful and attempted intrusions, and accidental and unintended incidents be logged and analyzed as part of an ongoing cybersecurity process. Common monitoring and detection challenges have been identified: • There is too much data to analyze. • Too many alerts and false positives occur to effectively identify problems and issues. • There is incomplete visibility of network and endpoints. Any deficiencies in monitoring, logging and analysis provide opportunities for network compromises and security incidents. Intrusions can be hidden, and are commonly hidden – the average time to detect data breaches and/or a malicious insider is over 200 days. Even when incidents are detected, without protected and complete logging records it is difficult to determine the details of the incident and what effects it has on the network and systems. Poor or nonexistent log analysis processes allow intrusions such as APTs for months or years without anyone in the organization knowing about it, even though the evidence may be recorded in unexamined log files. Monitoring and Detection Basics • • • • • A baseline of network operations and expected data flows for users and systems is established and managed. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. Monitoring of sensors, logs and other network elements should be done on a real-time basis where feasible. Detected events are analyzed to understand attack targets/methods and to determine impact of events. Have security personnel and/or system administrators run biweekly reports that identify anomalies. They should then actively review the anomalies, documenting their findings. Event data are aggregated and correlated from multiple sources and sensors. Incident alert thresholds are established. Average time to detect data breach is 229 days Mandiant Threat Report 2014 Average time to detect cybercrime is 170 days Ponemon Institute Report 2014 Average time to detect malicious insider is 259 days Ponemon Institute Report 2014

95 Selected Monitoring and Detection Technical Resources NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook. NIST SP: 800-61, Rev 2, Computer Security Incident Handling Guide, 2012. NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security May, 2015. NIST SP 800-92 Rev 1, Guide to Computer Security Log Management , 2006. NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Critical Controls for Effective Cyber Defense, 20 Critical Security Controls - Version 4.1, March 2013 Case Study - Metropolitan Atlanta Rapid Transit Authority (MARTA) The Metropolitan Atlanta Rapid Transit Authority (MARTA) operates heavy rail, bus transit, and paratransit services. MARTA’s heavy rail system is comprised of four lines including two lines serving the Hartsfield Jackson Airport; its bus operations encompass 91 routes covering one thousand route-miles. MARTA, the ninth largest U.S. transit system in terms of unlinked passenger trips, provided 135 million trips in 2012. (2014 APTA Public Transportation Fact Book) MARTA used information generated by the CSET® tool along with APTA’s Recommended Practice Part 2 to conduct cybersecurity gap analysis and risk assessment. The Cybersecurity Evaluation Tool (CSET®) developed by DHS’s Control Systems Security Program assists agencies and asset owners in assessing their cybersecurity practices through a series of detailed questions about components, architecture, policies, and procedures. CSET’s Four-Step Process is shown in the diagram below: • • Ensure that the collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). Develop a retention policy to make sure that the logs are kept for a sufficient period of time. Organizations are often compromised for several months without detection. The logs must be kept for a longer period of time than it takes an organization to detect an attack so they can accurately determine what occurred. Control System Considerations • • Control systems may not have logging or auditing capabilities or be compatible with IT automatic monitoring tools. Auditing utilities should be tested (e.g. off-line on a comparable control system) before being deployed on an operational system. Logs maintained by a control system application may be stored at various locations and may or may not be encrypted.

96 Figure 19: CSET Four Step Process In December, 2012, the DHS conducted a two-day onsite consultation and assisted MARTA in using CSET. Based on MARTA’s answers to questions on the consequences of a successful cyber attack, Security Assurance Levels (SALs) were determined by the tool. Depending on the SAL, a cybersecurity level to protect against a worst-case scenario was then established. Each component received gap and priority ratings, and on-site and off-site SAL ratings. A network diagram created with the assistance of the tool helped MARTA staff visualize the criticality of network components and define cybersecurity zones, critical components, and communication conduits. ICS Administrative-level results were reported in the following Table: Table 6: ICS Administrative-Level Results

97 ICS Administrative-level Access Control results identified gaps and were matched with APTA controls. They were then analyzed according to Availability, Probability, and Severity. The result of the assessment was a 300+ page report with high-level recommendations and observations. MARTA has been prioritizing the recommendations with the assistance of APTA. Recommendation implementation challenges were due to difficulty in replacing or retrofitting legacy systems, and agency resource constraints. MARTA’s high-level timeline for its train control and SCADA cybersecurity is shown below: Figure 20: MARTA Cybersecurity High-Level Timeline

Next: Chapter 6 Training: Building a Culture of Cybersecurity »
  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!