• Home

  • Documents

  • NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011

If you can't read please download the document

NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011

Embed Size (px)

Citation preview

  • Slide 1
  • NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011
  • Slide 2
  • Presentation Overview Purpose of the study Study approach and methodology Lessons Learned 2
  • Slide 3
  • Study Purpose Seek best practices in industries with similar concerns, risks, and constraints to the Automotive industry (NOT a study of cybersecurity in Automotive) Get a sense of where others are in tackling cybersecurity and where they are going Bring forward key learnings to help NHTSA craft a strategic roadmap for automobile electronic resiliency Parallel study of system reliability of safety-critical automobile electronic systems 3
  • Slide 4
  • Research Approach Open solicitation to learn from any and all cyber experts 4 Literature Review Request For Information SME Interviewing Findings These three elements resulted in final findings Sought out specific experts to discuss cyber security best practices Reviewed academic research, standards, etc.
  • Slide 5
  • Industries/Sectors Studied and Why Information Technology Foundation of cyber security best practicesTelecommunications Wireless enabled Internet, cloud computing, etc. has led to: Increased threat vectors of hacking community Made hacking more sophisticated (shared online tools, hacking social networks, etc.) 5
  • Slide 6
  • Industries/Sectors Studied and WhyAviation Aircraft-airspace very similar to vehicle-roadway E-enabled aircraft mirrors highly IT-intensive, connected vehicle Advent of NextGen parallels Cooperative Vehicle FAA has been working security issue for years Industrial Control Systems/Energy Infrastructure (networks/devices) often located in public Migrating forward with new IT and Telecommunications; security addressed later DHS (ICS), NRC (Nuclear), and FERC (Energy) have been working the security issue for some time 6
  • Slide 7
  • Industries/Sectors Studied and Why Financial Payments Highly distributed risk (accepting merchants, online storefronts, processors, etc.) Need to secure networks outside of the card issuers purview Medical Devices Extremely safety/life critical Extremely high degree of privacy 7
  • Slide 8
  • Overarching Cybersecurity Issues Must correlate security and safety; you cant have a safe system without a secure system Transportation mission is currently safety not security Systems are no longer closed; therefore potentially more vulnerable Operational systems extensively connected via IT and mesh communications networks Perception that there is no ROI for security Security must be a lifecycle approach 8
  • Slide 9
  • Information Security Lifecycle 9
  • Slide 10
  • Security Lifecycle NIST 800 Series/FIPS 10 Security Life Cycle SP 800-39 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP 800-53A ASSESS Security Controls ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP 800-60 CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 / SP 800-53A MONITOR Security State MONITOR Security State SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP 800-70 FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.
  • Slide 11
  • Industry Best Practices Findings 11
  • Slide 12
  • 12 Key LearningSource Industry Cybersecurity is a lifecycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program All The Aviation industry seems to be the tightest parallel to the Automotive industry FAA/Volpe Center Strong leadership from the Federal government is needed for development of industry-specific cybersecurity standards, guidelines, and best practices FAA Get involved in the rule-making process early; for example, the FAA has learned that they must take an active role in vulnerability assessment and a collaborative role with the industry to identify mitigation approaches that translate into technical solutions FAA
  • Slide 13
  • 13 Key LearningSource Industry Private sector industry believes government should identify a set of minimum security requirements; specifically performance specifications not technical specifications Aviation, Automotive Ongoing shared learning with other Federal government agencies is beneficial FAA, NRC, NIST Use of NIST Cybersecurity Standards for a baseline is a way to accelerate development of an industry-specific cybersecurity guideline FAA, NIST, NRC, Automotive Leverage of international cybersecurity efforts are a key source of learning; for example EVITA efforts and Timed- Triggered Communications Protocol Automotive, Aviation
  • Slide 14
  • 14 Key LearningSource Industry Government should lead the development of a cybersecurity simulator which can facilitate identification of vulnerabilities and risk mitigation strategies and can be used for: Collaborative learning (government, academia, private sector, international) Federal Rule-making FAA There must be cybersecurity standards for the entire supply chain Automotive, Financial Payments Government should help foster industry cybersecurity groups for exchange of cybersecurity information IT, DHS, NIST
  • Slide 15
  • 15 Key LearningSource Industry Use of Professional Capacity Building to address cybersecurity skillsets that must be acquired by operational system designers and engineers All Connected Vehicle security must be end-to-end; vehicles, infrastructure and V2X communication must ALL be secure. Aviation, Automotive
  • Slide 16
  • Findings Linked to Security Lifecycle 16
  • Slide 17
  • CONTACT INFORMATION 17 Michael Dinning US DOT John A. Volpe National Transportation Systems Center [email protected] Edward Fok FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team [email protected] Timothy Weisenberger US DOT John A. Volpe National Transportation Systems Center [email protected]

NHTSA Tire Aging Test

NHTSA Tire Aging Test

Documents
50th Male WorldSID - NHTSA

50th Male WorldSID - NHTSA

Documents
Before You Go - NHTSA

Before You Go - NHTSA

Documents
NHTSA Cyber Security Best Practices StudyPresentation Overview • Purpose of the study • Study approach and methodology • Lessons Learned . 2 . Study Purpose • Seek best practices

NHTSA Cyber Security Best Practices StudyPresentation Overview • Purpose of the study • Study approach and methodology • Lessons Learned . 2 . Study Purpose • Seek best practices

Documents
TABLE OF CONTENTS - NHTSA

TABLE OF CONTENTS - NHTSA

Documents
Bicycle Safety - NHTSA

Bicycle Safety - NHTSA

Documents
Introduction Instructor - NHTSA

Introduction Instructor - NHTSA

Documents
CHILD RESTRAINT SYSTEMS - NHTSA

CHILD RESTRAINT SYSTEMS - NHTSA

Documents
Unsafe Motorcycle Helmets - NHTSA

Unsafe Motorcycle Helmets - NHTSA

Documents
Aggressive Driving Enforcement - NHTSA

Aggressive Driving Enforcement - NHTSA

Documents
Highway Safety Plan - NHTSA

Highway Safety Plan - NHTSA

Documents
Steve Kratzke, NHTSA (ppt)

Steve Kratzke, NHTSA (ppt)

Documents
Nhtsa Aeb Report

Nhtsa Aeb Report

Documents
NHTSA seat belt report

NHTSA seat belt report

Documents
TP119-04 - NHTSA

TP119-04 - NHTSA

Documents
2007 NHTSA ASSESSMENT WHAT IT CAN DO FOR YOU!. What is NHTSA? What is NHTSA? National Highway Transportation Safety Administration National Highway Transportation

2007 NHTSA ASSESSMENT WHAT IT CAN DO FOR YOU!. What is NHTSA? What is NHTSA? National Highway Transportation Safety Administration National Highway Transportation

Documents
DCR Data Dictionary - NHTSA

DCR Data Dictionary - NHTSA

Documents
Sample - NHTSA

Sample - NHTSA

Documents
Nhtsa Inertia Database Metric

Nhtsa Inertia Database Metric

Documents
weisenberger townhome LOT portfolio · weisenberger lot portfolio | fort worth, tx | 2 cameron deptula 2929 carlilse street, suite 250 dallas, tx 75204 c: (214) 497-0276 e: cdeptula@db2re.com

weisenberger townhome LOT portfolio · weisenberger lot portfolio | fort worth, tx | 2 cameron deptula 2929 carlilse street, suite 250 dallas, tx 75204 c: (214) 497-0276 e: [email protected]

Documents
NYC MV104AN template1 - NHTSA

NYC MV104AN template1 - NHTSA

Documents
2007 Nhtsa Aride Manual

2007 Nhtsa Aride Manual

Documents
NEW YORK STATE - NHTSA

NEW YORK STATE - NHTSA

Documents
NHTSA Motorcoach Final Rule

NHTSA Motorcoach Final Rule

Documents
Washington State - NHTSA

Washington State - NHTSA

Documents
PRELIMINARY ECONOMIC ASSESSMENT - NHTSA

PRELIMINARY ECONOMIC ASSESSMENT - NHTSA

Documents
Drew Weisenberger (Group Leader) – detector concepts / design applications

Drew Weisenberger (Group Leader) – detector concepts / design applications

Documents
Howell, Rosa (NHTSA)

Howell, Rosa (NHTSA)

Documents
SAFETEA - LU NHTSA Highway Safety Programs SAFETEA - LU NHTSA Highway Safety Programs

SAFETEA - LU NHTSA Highway Safety Programs SAFETEA - LU NHTSA Highway Safety Programs

Documents
NHTSA Cybersecurity Best Practices

NHTSA Cybersecurity Best Practices

Technology