The National Academies Press

Currently Skimming:

Pages 38-55

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 38... ... 38 Chapter 3 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities Security Planning Security planning directs a transportation agency towards prevention and mitigation of the effects of security incidents by integrating those approaches that have proven to be successful into the operating environment. Development of a security plan provides an effective means to meet cost-benefit and competitive resource challenges. Read the entire page →
From page 39... ... 39 APTA, in Recommended Practices for Control and Communications Systems, recognizes cybersecurity as a process that should be incorporated into the transportation agency culture. Just as transit agencies have created a safety-centric culture -- saving lives and reducing accidents and accident severity -- they need to foster and create a cybersecurity culture. Read the entire page →
From page 40... ... 40 Guidance exists for general cybersecurity plans, e.g. NIST SP 800 series. Read the entire page →
From page 41... ... 41 is necessary. Technical personnel must explain to senior management the various impacts of a breach on life safety, equipment safety, revenue service, customer service and satisfaction. Read the entire page →
From page 42... ... 42 understanding cybersecurity risk and risk management include the NIST Cybersecurity Framework, NIST SP 800-39 on Managing Information Security Risk, NIST SP 800-100 Information Security Handbook: A Guide for Managers, DHS USCERT's Risk Management/CEO Recommended Practices, DHS USCERT's Guide on CEO Questions to Ask, and the Guide to Developing a Cybersecurity and Risk Mitigation Plan. Phase 3 Phase 3 is the development of the security plan and cyber and physical security countermeasures for new and existing systems and equipment. Read the entire page →
From page 43... ... 43 activities, enabling organizations to make informed decisions about cybersecurity expenditures. Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs. Read the entire page →
From page 44... ... 44 Figure 7: NIST Framework Implementation Steps. Adapted from Energy Sector Cybersecurity Framework Implementation Guidance, US Department of Energy 2015 Step Inputs Activities Outcomes 1 Risk management strategy Organizational objectives and priorities Threat information Determine where to apply Framework to evaluate and guide cybersecurity capabilities Scope of Framework in Organization 2 Risk management strategy Framework Scope Identify in-scope systems and assets Identify standards, guidelines and tools Systems & Assets Cybersecurity requirements & standards 3 Evaluation approach Systems and Assets Requirements and Standards Identify current cybersecurity and risk management state Current Profile 4 Risk management strategy Evaluation approach Systems and Assets Requirements and Standards Perform risk assessment Risk Assessment 5 Current Profile Organizational objectives Risk management strategy Risk assessment reports Identify goals to mitigate risk consistent with organizational goals and critical infrastructure objectives Target Profile 6 Current Profile Target Profile Organizational objectives Organizational constraints Risk management strategy Risk assessment Analyze gaps between current and target profile Evaluate consequences from gaps Prioritize actions (cost-benefit analysis, consequences) Read the entire page →
From page 45... ... 45 7 Prioritized implementation plan Implement actions by priority Track progress against plan Monitor/evaluate progress against risks, metrics and performance indicators Project tracking Data New security measures implemented Case Study – Idaho Transportation Department (ITD) The Idaho transportation department has jurisdictional responsibility for almost 5,000 miles of highway (or 12,000 lane miles) Read the entire page →
From page 46... ... 46 agency goals, which forced them to take a holistic view of whole program. The NIST Framework does not include metric charts and graphical representation in the guidance, so what ITD developed their own to use. Read the entire page →
From page 47... ... 47 them from perimeter defense to policy and procedures to training and awareness. The figure below presents the Defense in Depth strategic framework. Read the entire page →
From page 48... ... 48 may be one of two types of zones – architectural or risk zone. Architectural zones are physically distinct areas managed by separate business units. Read the entire page →
From page 49... ... 49 APTA Recommended Practice defines security zone classifications and recommends minimum set of security controls for most critical zones. To implement this approach, it is important for an agency to identify and place its functions/systems in a series of security zones. Read the entire page →
From page 50... ... 50 Figure 10: Model Control & Communications System Categories Source: APTA Recommended Practices, Part 2 APTA Recommended Practices Part 2 recommends combining Defense in Depth with Detection in Depth. Detection in Depth detects intruders and implements detection for each zone and layer. Read the entire page →
From page 51... ... 51 Figure 11: Model Transit System. Source: Figure 5, APTA Recommended Practice, Part 2 Attack Modeling APTA Recommended Practice Part IIIa recommends Attack Modeling Security Analysis as a countermeasure for large or complex projects including upgrades and installation of new technologies. Read the entire page →
From page 52... ... 52 6. Decision point: evaluation type (short or long method) Read the entire page →
From page 53... ... 53 ICS Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites (SANS Analyst Whitepaper, ICS-CERT, 2014) provides recommendations for responses to physical breaches with potential cybersecurity impacts. Read the entire page →
From page 54... ... 54 The NIST Framework for Improving Critical Infrastructure Cybersecurity, in identifying a common language to address and manage cybersecurity risk, provides a language that may be leveraged in the procurement process – it can be used as a tool to help communicate cybersecurity requirements in the procurement process. The energy sector cybersecurity working group (ESCSWG) Read the entire page →
From page 55... ... 55 reconfiguration of default settings. Another example: The Supplier shall provide a method to restrict communication traffic between different network security zones. Read the entire page →

From page 38...

... 38 Chapter 3 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities Security Planning Security planning directs a transportation agency towards prevention and mitigation of the effects of security incidents by integrating those approaches that have proven to be successful into the operating environment. Development of a security plan provides an effective means to meet cost-benefit and competitive resource challenges.