NCHRP 20-59 (48)

2014 TRB ANNUAL MEETING

Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents

Dave Fletcher, Co-PIJanuary 15, 2014

2

Cyber Threats to Transportation

CASE, LLC and WMC, LLC

3

NCHRP 20-59 (48) Scope

Transit Control Systems

Transit Data Systems

HighwayControl Systems

HighwayData Systems

4

Research Plan

CASE, LLC and WMC, LLC

5

Cyber Security Primer Topics Section 1 - Risk Management Principles and

Enterprise Risk Management Approaches Section 2 – Risk Assessment, Surveys and Audits Section 3 – Plans and Strategies, Establishing

Priorities, Organizing Roles and Responsibilities Section 4 – Cyber Security Principles Section 5 – Transportation Infrastructure,

Protection of Operational and Information Systems Section 6 – Training, Building a Culture of Cyber

Security Section 7 – Security Programs, Available

Resources, Support Frameworks

CASE, LLC and WMC, LLC

6

Cyber Security in Transportation Survey Scanning survey to

Raise awareness of cyber issues Baseline sector cyber security maturity Identify “best practice” organizations

Paper or digital version 850 invitations to DOTs, Transit,

SCOTSEM, AASHTO, other stakeholders 90+ responses (11% return)

CASE, LLC and WMC, LLC

7

Survey Objectives

C.A.S.E. LLC and Western Consulting LLC

How serious a problem do respondents perceive cyber security to be?

How serious of a problem has cyber security been in the transportation industry to-date?

What are the quantity and depth of resources (i.e., skills, dollars, training time. etc.) being applied to these problems?

Is this investment sufficient, given all the other things that need attention?

8

Preliminary Findings

C.A.S.E. LLC and Western Consulting LLC

Most respondents are aware of cyber-threats and vulnerabilities but rank them as moderate to low.

Most respondents assess risk to control systems as less than risk to data systems

Line-of-business managers see security as an IT issue

Top 3 threat vectors believed to be natural disasters, criminal behaviors of outsiders and/or the loss of critical related services

Almost no respondent reported cyber security events

9

Preliminary Findings

C.A.S.E. LLC and Western Consulting LLC

Security responses driven by desire to reduce or avoid service interruption, loss of life and property damage

Although most reported cyber readiness as good or better, only 20% had a current and tested Continuity of Operations or Disaster Recovery Plan

2 of 3 indicated implementing some “best practices” but 3 of 4 unfamiliar w/ national standards

10

Thank You

Please contact Ernest “Ron” Frazier, Co-Principal Investigator Countermeasures Assessment and Security Experts, LLC

(CASE™)Phone: 302-322-9600ronfrazier@caseexperts.com

Dave Fletcher, Co-Principal InvestigatorWestern Management and Consulting, LLCPhone Number: 505-379-6499fletcher.d@att.net

Jeffrey Western, Administrative OfficerWestern Management and Consulting, LLCPhone Number: 608-692-8414Jeffrey.western@consultingwestern.com

CASE, LLC and WMC, LLC