1[Distribution Statement (A-F)]
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
The Need for Operational and Cyber Resilience inTransportation Systems
January 14, 2016
Dr. Nader Mehravari, MBCP, MBCI
Cyber Risk and Resilience ManagementSoftware Engineering InstituteCarnegie Mellon [email protected]://www.cert.org/resilience/
2[Distribution Statement (A-F)]
Notices
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0003164
3© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
CERT | Software Engineering Institute | Carnegie Mellon
Software Engineering Institute (SEI)
• Federally funded research and development center based at Carnegie Mellon University
• Basic and applied research in partnership with government and private organizations
• Helps organizations improve development, operation, and management of software-intensive and networked systems
CERT Division – Anticipating and solving
our nation’s cybersecurity challenges
• Largest technical program at SEI
• Focused on internet security, secure systems, operational resilience, and coordinated response to security issues
4© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Risk & Resilience Management Team
Engaged in
• Applied research
• Education & training
• Putting into practice
• Enabling our federal, state, and commercial partners
In areas dealing with
• Resilience Management
• Operation Risk Management
• Cyber and Resilience Frameworks
• Integration of cybersecurity, business continuity, & disaster recovery
5© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Contents
Operational Stress
Cyber-Induced Operational Stress on Transportation Sector
Prevention is Futile
Operational Resilience & Cyber Resilience
Techniques for Improving and Managing Cyber Resilience
Summary
6© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
What do you see here?
A set of well looking evergreens.
7© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Look Again!
A tree under operational stress
8© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Stress
Naturalor
Manmade
Accidentalor
Intentional
Smallor
Large
Kineticof
Cyber
InformationTechnology
or Not
• Fire
• Flooding
• IT failures
• Earthquakes
• Cyber attacks
• Severe weather
• Network failures
• Technology failures
• Organizational changes
• Loss of service provider
• Strikes or other labor actions
• Loss of customer or trading partner
• Chemical, biological, nuclear hazards
• Unavailability of workforce
• Failed internal processes
• Supply chain disruption
• Employee kidnappings
• Workplace violence
• Data corruption
• Product failure
• Power outages
• Civil unrest
• Terrorism
• Fraud
• Etc.
Result in
Interruption
of
Business
Mission
…through which risks
are realized
Today’s
Discussion
Today’s
Discussion
9© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Examples
of
Cyber-Induced Operational Stress
on
Transportation Sector
10© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
July 2015
11© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2015
12© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2015
13© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
January 2008
14© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
January 2012
15© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
September 2012
16© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
December 2015
17© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
October 2013
18© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
October 2015
19© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
May 2012
20© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
February 2014
21© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2014
22© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
May 2015
23© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
24© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Aviation
Maritime
Mas
Transit
Passenger
Rail
Postal &
Shipping
Pipeline
Freight
Rail
Highway
InfrastructureMotor
Carrier
Discussion is Applicable to All Subsectors
25© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Discussion is Applicable to…
Transportation
Subsectors
Primary Units of
Transportation
Modes of
Transportation
Aviation People & Goods Air
Highway Infrastructure & Motor Carrier People & Goods Ground
Maritime Transportation Systems People & Goods Sea
Mass Transit & Passenger Rail People Ground
Pipeline Systems Oil & Gas Ground
Freight Rail Goods Ground
Postal & Shipping Mailpieces &
Goods
Air, Ground,
Sea
26© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Prevention is Futile
27© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Intrusions are a Fact of Life
28© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Traditional Information Security Function
Protect / Shield / Defend / Prevent
Is necessary
Is not Sufficient
Fails too frequently
29© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational and Cyber Resilience
30© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
An Operationally Resilient Entity?
A tree under operational stress…
…while achieving its “business” mission
31© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Resilience
The emergent property of an entity
• that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit
The ability of an entity to
• Prevent disruptions from occurring;
• And when struck by a disruption, the ability to quickly respond to and recover from a disruption in the primary business processes.
32© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Sample Techniques
for
Improving and Managing
Cyber Resilience
33© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Organizational Aspects
How should organizational structures, roles, and
responsibilities be adapted?
Example:
• “Traditional” vs. “Modern” information security functions
34© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Modern Information Security Functions
Protect / Shield /
Defend / Prevent
Monitor / Detect / Hunt
Management,
Governance,
Compliance,
Education,
Risk Management.
Respond/ Recover /
Sustain
35© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Risk Aspects
How should organizations adapt their overall operational risk
management principles and practices?
Example:
• Integration and convergence of operational risk management activities.
36© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Today’s Operational Risk Management
IT Disaster Recovery
Continuity of Operation
(COOP)Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
ManagementContingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information
Security
Health & Safety
37© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Desired Solution Approach
IT
Disaster
Recovery
Business
Continuity
Health &
Safety
Emergency
Management
Crisis
Management
Information
Security
IT
Operations
Supply
Chain
Continuity
Physical
Security
Workforce
Continuity
Operational
Resilience
IT Disaster Recovery
Continuity of
Operation (COOP)Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
Manageme
ntContingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information
Security
Health & Safety
38© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Tools and Techniques Aspects
What structured (i.e., not ad hoc) frameworks could guide
and assist organizations?
Example:
• Resilience Management Model
39© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
What is Resilience Management Model?
Framework for managing and improving operational resilience
Guides implementation, mgmt, and sustainment of operational risk management activities
Improves confidence in how an organization manages and responds to operational stress
Focuses on “What” not “How”
Applicable to a variety of organizations• small or large
• simple or complex
• public or private
“…an extensive super-
set of the things an
organization could do to
be more resilient.”
- CERT-RMM adopter
40© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
A Sampling of RMM Success Stories
41© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
In Closing
42© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Sampling of ITS Emerging Capabilities
Advanced Driver
Assistant Systems
(ADAS)
• Smart lighting control
• Adaptive cruise control
• Lane departure warning
• Parking assistAdvanced fleet
Management
• Real-time telematics
• Driver fatigue detection
• Package tracking.
Smart Transportation
• Vehicle-to-infrastructure communications
• Smart intersection
• Traffic light control
• Collision avoidance
• Traffic management.
Autonomous
Driving
Convenience,
Comfort, &
Entertainment
• Keyless entry
• Remote engine start
• Mobile device integration
• Infotainment
Diagnostics &
Maintainability
• On-Board Diagnostics
• Software update in the garage
• Tire Pressure Monitoring
Etc., Etc., Etc. …
43© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Commonalities in Emerging Capabilities
Commonalities?
Information
Technology
&
Communication
Technology
44© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Primary Risks to Common Elements
Accidental
Information
Technology
&
Communication
Technology
Intentional
Design Flaws
Cybersecurity
Component Failures
45© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Risk Mitigation Challenge
Traditional IT cybersecurity contingencies are not feasible
• Failover over to a disaster recovery site
• Restoring from backup
• Failover to another vehicle
• Federal Motor Vehicle Safety Standards (FMVSS) timeframes precludes “Patch Tuesdays.”
• Can’t call a breach response team (AAA does not do that yet)
Successful management of cyber risk within ITS may
require a (significant) shift in thinking and approach.
46© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Promising and Proven Approach
Cyber
Resilience
Management
47© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Thank you for your attention.
48© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
References
1. J. H. Allen, R. H. Caralli, and D. W. White, CERT® Resilience Management Model: A Maturity Model for Managing
Operational Resilience, Addison-Wesley Professional, 2010.
2. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “A Proven Method for Identifying Security Gaps in International Postal
and Transportation Critical Infrastructure,” 93rd Annual Transportation Research Board Conference, Washington, DC,
January 13-18, 2014.
3. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “Improving the Security and Resilience of U.S. Postal Service Mail
Products and Services,” 93rd Annual Transportation Research Board Conference, Washington, DC, January 13-18,
2014.
4. N. Mehravari, "Cybersecurity Update,” a lecture as part of the Business Continuity and Crisis Management Summer
School, Massachusetts Institute of Technology, July 2015.
5. N. Mehravari, “Cyber and Operational Resilience Management,” half-day tutorial, planned for 2015 IEEE Military
Communications Conference (MILCOM’15), Tampa, FL, October 26-28, 2015.
6. N, Mehravari, “Principles and Practice of Operational Resilience,” half-day tutorial, IEEE Systems Conference,
Vancouver, BC, April 12-16, 2015.
7. N. Mehravari, “Information Resilience in Today's High-Risk Economy,” Software Engineering Institute Blog, November
17, 2014.
Top Related