Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Slide 1 - US-CERT

VIEWS: 12 PAGES: 39

									                  Agenda




           Control Systems Security Program
           Transportation Sector
           ICSJWG 2011 Spring Conference

           David Sawin
           John A. Volpe National Transportation Systems Center




Homeland
Security
                            Agenda


• Industrial Control Systems (ICS) in Transportation

• Risk Areas, Progress, Accomplishments

• Major players

• Feedback




      Homeland
      Security
                                                       2
Transportation is Increasingly Dependent on Net-
centric Operations and Wireless Communications




 Homeland
 Security
                                                   3
E-enabled vehicles are now the norm…




Homeland
Security
                                       4
           …for all of us!




                             Source: aa1car.com




Homeland
Security
                                                  5
We’re Demanding & Exploiting Connectivity
             4G Technology at 2011 Consumer Electronics Show




                                         www.latestcar.us        thetorquereport.com
 www.engadget.com

                                Access vehicle diagnostics
                                Unlock doors
                                Slow cars down with geofencing
                                Limit driving speed of teens


       “We’re redefining what it means to be a really fast computer”
       Audi Chairman Rupert Stadler




      Homeland
      Security
                                                                                       6
      Control Systems Security Challenges

 SECURITY TOPIC          INFORMATION TECHNOLOGY                CONTROL SYSTEMS
 Anti-virus & Mobile         Common & widely used             Uncommon and can be
         Code                                                   difficult to deploy
 Support Technology                 3-5 years                     Up to 20 years
      Lifetime
     Outsourcing              Common/widely used             Rarely used (vendor only)
Application of Patches          Regular/scheduled              Slow (vendor specific)
Change Management               Regular/scheduled            Legacy based – unsuitable
                                                                for modern security
Time Critical Content      Delays are usually accepted         Critical due to safety
     Availability          Delays are usually accepted         24 x 7 x 365 x forever
 Security Awareness      Good in private and public sector   Generally poor regarding
                                                                 cyber security
Security Testing/Audit      Scheduled and mandated             Occasional testing for
                                                                  outages / audit
  Physical Security                  Secure                   Remote and unmanned


   Homeland
   Security
                                                                                         7
                      Critical Infrastructure Sectors
                       Volpe Leads Transportation
           Homeland Security Presidential Directive 7 (HSPD-7) along with
      the National Infrastructure Protection Plan (NIPP) identified & categorized
     U.S. Critical Infrastructure into the following 18 Critical Infrastructure & Key
                                    Resources Sectors

1.   Agriculture & Food         7. Emergency Services           13. Postal & Shipping
2.   Banking & Finance          8. Energy                       14. Public Health & Healthcare
3.   Chemical                   9. Government Facilities        15. Telecommunications
4.   Commercial Facilities     10. Information Technology       16. Transportation
5.   Dams                      11. National Monuments & Icons   17. Water
6.   Defense Industrial Base   12. Nuclear Reactors,            18. Critical Manufacturing
                                   Materials, & Waste




             Homeland
             Security
                                                                                                 8
    Partnership Between DHS and DOT



                       • Inventory
                       • Risk assessments
                       • Standards and best practices
                       • Laboratory
                       • Notification & response plans
                       • Outreach, training and
                         professional capacity building
                       • Transportation Control System
                         Security Roadmap




Homeland
Security
                                                          9
   Highway Existing Technologies
   Transportation Management Systems




Homeland
Security
                                       10
     Transportation Management System


                                      • Advanced Traveler Information
                                        System
                                      • Field Devices
                                      • Center to Field Network
                                      • Back Office




            •    Safe assignment of right of ways
•      Maintain movement along major transportation facilities
        •     Provide reliable and relevant information

    Homeland
    Security
                                                                        11
               Highway Field Devices

Types of Devices                Attack Vectors
•Ramp/Gate/Signal Controllers   •Direct device access
•Fixed Dynamic Message Signs    •Vehicle born device cloning
•Portable Dynamic Message       •Viruses (emergent threat)
Signs
•Enforcement System
•Embedded Devices




                                      www.i-hacked.com

    Homeland
    Security
                                                               12
        Emerging Technologies:
     Cooperative Vehicle Applications

 E-payment
Transactions                         “The
                                                      Opportunity
                                    Network”              for
               V2I Safety                             Innovation
               Messages


            Signal Phase
             and Timing                         Real Time Network Data
             Information

V2V Crash
avoidance
                            Probe
                             Data




Homeland
Security
                                                                          13
We’re Increasing the Potential Attack Surface


     Satellite   Cellular   WiFi   Radio   DSRC

 Blue Tooth                            CD & MP3
 & RF
                                       Mechanics’
 Wireless                              Tools
 Sensors




    Homeland
    Security
                                                    14
            Highway Progress to Date

• Documenting the “universe” of control systems in highway/roadway;
  Intelligent Transportation Systems (ITS)
• Reviewing the National ITS Architecture, ITS Application Standards,
  and US DOT ITS Joint Program Office website (ITS body of knowledge,
  ITS deployments, etc.)
• Scheduling surveys and case studies to west coast & southern cities as
  well as large and medium metropolitan areas.
• Some sites lead the nation in transportation Innovation
• Examine Cooperative Vehicle Applications (Vehicle-Vehicle, Vehicle-
  Infrastructure)




    Homeland
    Security
                                                                       15
Surface Transportation Public Transportation

                 Emerging Technologies
              Positive Train Control Systems




   Homeland
   Security
                                               16
             Lodz, Poland, January 2008

14 Year Old Boy Derails Polish Trams with Modified TV Remote




– 4 light rail train (trams) derailed, 12 people hurt
– Tool used: Converted television IR remote
– Vulnerability: Locks disabling track changes when vehicle are present
  was not installed.


    Homeland
    Security
                                                                          17
Surface Transportation – Public Transit Progress to Date



• Inventory Scans
    – Public Transit Rail
    – Heavy Rail
• Case Studies
    – Small east coast Transit Authority
    – Large west Coast metropolitan city
•   APTA CCSWG Regional Meetings
•   UK TRANSEC Cyber Threat Workshop
•   Schedule DHS-CSSP CSET Training (across USA)
•   Coordinated DHS-CSSP Panel for APTA Meeting in New Orleans (Oct )




        Homeland
        Security
                                                                        18
Aviation Existing Air Traffic Control System




  Homeland
  Security
                                               19
       Emerging Technologies
  NextGen Air Traffic Control System




Homeland
Security
                                       20
Understanding Requires Collaboration

                                      •   Designers & manufacturers
                                      •   Equipment suppliers
                                      •   System integrators
                                      •   Expert consultants
                                      •   University & government
                                          researchers
                                      •   Testing organizations
                                      •   Users (airlines)
                                      •   Infrastructure operators
                                      •   Standards organizations
 Example: Airborne Network Security   •   Certifiers and regulators



    Homeland
    Security
                                                                      21
                 Aviation Progress to Date

Inventory Scans
• Completed the preliminary inventory of eEnabled aviation assets & finalized
    preliminary findings = 613 Control Systems (211 ranked)
• Continue collection, research and analysis on UAS info for the eEnabled Aircraft
    Inventory
• National Airspace System (NAS) Inventory (TBD)
CSET - Planned
• Health and Usage Monitoring System (HUMS) - engines
CSETs – Under Consideration
• Airlines
• EFB Applications
• In-Flight Entertainment (IFE)
Incident Response
• eEnabled Aircraft Incident Response White Paper


        Homeland
        Security
                                                                                     22
     Maritime Automated Systems




Homeland
Security
                                  23
Existing Automated Maritime Systems
            • Today’s maritime environment includes
              automation throughout our nation’s ports
               – Automated entry systems
               – Wireless cargo tracking
               – Driverless cranes and other vehicles




                       Volpe Center Images




Homeland
Security
                                                         24
                    Driverless Vehicle
Hamburg Germany. Driverless vehicle moving 40’ container to automated
storage crane.




                                                                        Volpe Center Image
    Homeland
    Security
                                                                                             25
                    Crane Accident
Oakland, CA. Dropped cargo container too early. Is this a result of
a Control System failure?




                                                                      Countryman & McDaniel
  Homeland
  Security
                                                                                              26
           Inland Waterway System




               Volpe Center Images




Homeland
Security
                                     27
           SmartLock




Homeland
Security
                       28
                  Fire Onboard
 •   Could bad planning software have made it worse?
 •   Hazmat too close together?




Homeland
Security
                                                       29
           Navigation Malfunction
     • Human error or equipment malfunction?




Homeland
Security
                                               30
                 Dry-dock Malfunction
Dubai. Opened sea gate while workers were under vessel resulting in 27
deaths and the loss of 2 vessels.




                                                                Countryman & McDaniel
  Homeland
  Security
                Maritime Progress to Date

Surveyed
• A major international ship container carrier’s two vessels docked on
  the east coast.
• An international truck/car carrier on the east coast.
• Two major container terminals on the east coast, and one in the Gulf
  of Mexico.
• One of the worlds largest port and container terminals in the US

Contacted vessel owners and shipping lines at CMA Shipping 2011
  Conference in Stamford, CT.

Presented CSSP info to ports, terminals, & equipment manuf. at Port &
   Terminal Technology Conf in Houston, TX.

       Homeland
       Security
                                                                         32
           Pipeline




Homeland
Security
                      33
          Pipeline systems in US infrastructure


Pipeline Systems:
• Are critical in distribution systems for both oil and natural gas
• Have carried over 15 billion barrels of domestic oil
• Control Systems play major roles
• Smart Pigs
• US DOT Pipeline and Hazardous Materials Safety Administration
    o Top priority is safety




        Homeland
        Security
                                                                      34
             Pipeline Progress to Date



• Conducted industry reviews
• Coordinated outreach and awareness to TSA/Pipeline and DOT/PHMSA
• Initial meetings with northeastern US gas distribution company
• Initial review of a large US strategic operator
• Attended API Pipeline Conference in Texas in April to develop industry
  contacts and to identify industry risk
• Develop a Control System inventory for pipeline




     Homeland
     Security
                                                                      35
Cross Cutting Multi Model Progress to Date

   • Professional Capacity Building
       – Government and private sector = 675

   • Outreach and Awareness
      – Separate activities = 25

   • CSET - Completed, Planned or ongoing = 25

   • Case Studies - Completed, Planned or ongoing = 8

   • Transportation Sector Roadmap



   Homeland
   Security
                                                        36
            Major Players in CSSP-Transportation

•   DHS CSSP. Joint Working Groups, Conferences & Workshops
•   Roadmap Committee & Participants
•   Transportation Security Administration (TSA) Cyber Security Awareness/Outreach
•   American Public Transportation Association (APTA)
•   Association of American Railroads (AAR) Risk Group
•   American Association of State Highway and Transportation Officials (AASHTO)
•   Intelligent Transportation Society of America (ITS America)
•   Society of Automotive Engineers (SAE)
•   Transportation Research Board (TRB)
•   Information Sharing and Analysis Centers (ISACs)
•   Radio Technical Commission for Aeronautics (RCTA)
•   Volpe Center and other DOT Modes
•   International Transportation Counterparts
•   U. S. Coast Guard

           Homeland
           Security
                                                                                     37
        Next Steps for CSSP-Transportation

• Expanding assistance to industry in all modes
   – Aviation, ST PT, Highway, Maritime, Pipeline
   – Inventory, CSETS, Standards, NCIRP,
   – Transportation ISACS
   – International

• Outreach to DOT Model Administrators, operators, vendors

• Transportation Roadmap

• Professional Capacity Building

• Host a Transportation Cyber Collaborative Workshop

     Homeland
     Security
                                                             38
                      Questions / Feedback


                          David E. Sawin
                         Program Manager

                      Information Assurance - Control Systems
                 Intermodal Infrastructure Security and Operations
                          US Department of Transportation
                Research and Innovative Technology Administration
                   Volpe National Transportation Systems Center
Voice: 617.494.2206, Wireless: 781.760.4176 , STE: 617.494.3746, Fax: 617.494.2902
                                david.sawin@dot.gov




      Homeland
      Security
                                                                                     39

								
To top